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Chapter 1: Introduction 



This chapter describes how to manage enterprise and non-enterprise instant 
messaging (IM) traffic through the ProxySG IM proxies. 

The ProxySG allows you to control, track, and record communications that 
occur over AOL, MSN, or Yahoo IM clients on your corporate networks. The 
Streaming proxies allow you to alter allowed bandwidth and manage the 
broadcasts of streaming content over Microsoft and RealNetworks (with 
limited support for Apple) protocols. 

This document contains the following chapters: 

□ Chapter 2: "Managing Instant Messaging Protocols" on page 9 

□ Chapter 3: "Managing Streaming Media" on page 35 

Document Conventions 

The following section lists the typographical and Command Line Interface 
(CLI) syntax conventions used in this manual. 



Table 1-1 Document Conventions 



Conventions 


Definition 


Italics 


The first use of a new or Blue Coat-proprietary term. 


Courier font 


Screen output. For example, command line text, file names, and 
Blue Coat Content Policy Language (CPL). 


Courier Italics 


A command line variable that is to be substituted with a literal 
name or value pertaining to the appropriate facet of your 
network system. 


Courier Boldface 


A Blue Coat literal to be entered as shown. 


Arial Boldface 


Screen elements in the Management Console. 


{ } 


One of the parameters enclosed within the braces must be 
supplied 


[ ] 


An optional parameter or parameters. 


1 


Either the parameter before or after the pipe character can or 
must be selected, but not both. 



Notes and Warnings 

The following is provided for your information and to caution you against 
actions that can result in data loss or personal injury: 



Note: Information to which you should pay attention. 
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Important: Critical information that is not related to equipment damage or 

personal injury (for example, data loss). 



WARNING! Used only to inform you of danger of personal injury or physical 
damage to equipment. An example is a warning against electrostatic discharge 
(ESD) when installing equipment. 



8 



Chapter 2: Managing Instant Messaging Protocols 



This chapter discusses how to control Instant Messaging (IM) activity through 
the ProxySG. 

Topics in this Chapter 

This chapter includes information about the following topics: 

□ "About the Risks of Instant Messaging" on page 9 

□ "About the Blue Coat IM Proxies" on page 9 

□ "About Instant Message Network Inter-activity" on page 11 

□ "Configuring ProxySG IM Proxies" on page 14 

□ "Configuring IM Clients" on page 21 

□ "Policy Examples" on page 26 

□ "Reference: Equivalent IM CLI Commands" on page 29 

□ "Reference: Access Log Fields" on page 30 

□ "Reference: CPL Triggers, Properties, and Actions" on page 31 

□ "IM History Statistics" on page 31 

About the Risks of Instant Messaging 

Instant Messaging use in an enterprise environment creates security concerns 
because regardless of how network security is configured, IM connections can 
occur from any established protocol, such as HTTP or SOCKS, on any open 
port. Because it is common for coworkers to use IM to communicate, especially 
in remote offices, classified company information can be exposed outside the 
network. Viruses and other malicious code can also be introduced into the 
network from file sharing through IM clients. 

About the Blue Coat IM Proxies 

The ProxySG serves as an IM proxy. With policy, you can control IM actions by 
allowing or denying IM communications and file sharing based on users (both 
employee identities and IM handles), groups, file types and names, and other 
triggers. All IM communications can be logged and archived for review. 

The ProxySG supports the AOL, MSN, and Yahoo IM client protocols. For the 
most current list of supported client versions, refer to the most current Release 
Notes for this release. 
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HTTP Proxy Support 

The ProxySG supports instant messaging through the HTTP proxy. IM clients are 
configured to connect to IM services through HTTP, which allows IM activity 
from behind restrictive firewalls. 

The application of policies and IM activity logging is accomplished by the HTTP 
proxy handing off IM communications to the IM proxy. 

Notes 

□ AOL — Direct connections, file transfers, and files sharing are not available. 

□ Yahoo — Client cannot create a chat room. 

Instant Messaging Proxy Authentication 

The ProxySG supports explicit proxy authentication if explicit SOCKS V5 proxy is 
specified in the IM client configuration. 

Because the IM protocols do not natively support proxy authentication, 
authentication for transparently redirected clients is not supported because 
policies requiring authentication would deny transparently redirected clients. 

Notes 

Consider the following proxy authentication notes, which apply to IM clients 
using HTTP proxy: 

□ AOL IM — Proxy authentication is supported. 

□ MSN IM (5.0 and above) — The ProxySG supports MSN/Live Messenger if the 
appliance is configured to use HTTP Proxy Auth code 407, not HTTP auth 
code 401. 

□ Yahoo IM — Yahoo IM clients do not have proxy authentication configuration 
abilities. 

/Access Logging 

Access log entries occur from various IM actions, such as logging on or joining a 
chat room. By default, the ProxySG uses the Blue Coat IM access log format: 

date time c-ip cs-username cs-auth-group cs-protocol x-im-method x-im- 
user-id x-im-user-name x-im-user-state x-im-client-info x-im-buddy-id 
x-im-buddy-name x-im-buddy-state x-im-chat-room-id x-im-chat-room-type 
x-im-chat-room-members x-im-message-text x-im-message-size x-im- 
message-route x-im-message-type x-im-f ile-path x-im-file-size s-action 

For a reference list and descriptions of used log fields, see "Reference: Access Log 
Fields" on page 30. 

Managing Skype 

Skype is the most used IM service outside of the United States. It provides free 
PC-to-PC calling using VoIP. Skype communication is based on Peer-to-Peer 
technology. Managing Skype communications requires the creation of firewall 
and ProxySG policies, procedures that are outside the scope of this chapter. 
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See the Blue Coat Controlling Skype Technical Brief, available on the Blue Coat Web 
site Download page. 

About Instant Message Network Inter-activity 

This section discusses IM deployment and describes IM reflection, which is how 
the ProxySG policy dictates IM communications. 

Recommended Deployments 

Blue Coat recommends the following deployments: 

□ For large networks with unimpeded Internet access. Blue Coat recommends 
transparently redirecting the IM protocols to the ProxySG, which requires the 
ProxySG bridging feature or an L4 switch or WCCP 

□ For networks that do not allow outbound access. Blue Coat recommends 
using the SOCKS proxy and configuring policy and content filtering denials 
for HTTP requests to IM servers. 

About Instant Messaging Reflection 

IM reflection allows you to contain IM traffic within the enterprise network, 
which further reduces the risk of exposing company-confidential information 
through public IM networks or allow a client to incur a virus or malicious code. 
Normally, an IM sent from one buddy to another is sent to and from an IM 
service. With IM reflection, IM traffic between buddies, including chat messaging, 
on the same network never has to travel beyond the ProxySG. This includes IM 
users who login to two different ProxySG appliances configured in a hierarchy 
(proxy chaining). 

IM Reflection with Fail Open 

When the ProxySG policy is configured to fail open, IM reflection operates 
essentially the same as pass through mode. All messages are allowed in and out 
of the network. The following diagram illustrates IM processes with ProxySG fail 
open policy. 
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\ 

C 

Legend 

A: IM client 1 — logged into the ProxySG. 

B: IM client 2 — logged into the ProxySG. 

C: IM client 3 — outside the network. 

D: ProxySG configured to reflect all IM activity, but with fail open policy. 

E: IM service provider. 

Process Flow 

1 : (Blue arrows) IM client 1 , an employee, sends an IM directed to a co-worker: “Did you finish 
coding Project X?” 

2: The ProxySG directs the message to IM client 2, who is an employee on the same network, 
who is able to respond: “Yes! The system runs ten times faster now!” 

3: (Green arrows) IM client 1 sends an IM directed to a friend: “Want to see a movie tonight?” 

4: The ProxySG allows the message to leave the network and ultimately arrive to IM client 3. 

Figure 2-1 IM Reflection with ProxySG fail open policy. 

IM Reflection With Fail Closed 

If the ProxySG is configured with fail closed policy, messages cannot leave the 
network (they never reach the IM service provider). Only clients on allowed 
enterprise networks can send and receive IMs. The following diagram illustrates 
IM processes with ProxySG fail closed policy 
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Legend 

A: IM client 1 — logged into the ProxySG. 

B: IM client 2 — logged into the ProxySG. 

C: IM client 3 — outside the network. 

D: ProxySG configured to reflect all IM activity, but with fail closed policy. 

E: IM service provider. 

Process Flow 

1 : (Blue arrows) IM client 1 , an employee, sends an IM directed to a co-worker: “Did you finish 
coding Project X?”. 

2: The ProxySG directs the message to IM client 2, who is an employee on the same network, 
who is able to respond: “Yes! The system runs ten times faster now!”. 

3: (Green arrow) IM client 1 sends an IM directed to a friend (IM client 3): “Want to see a movie 
tonight?”. 

4: (Red arrow) The ProxySG does not allow the message to leave the network; IM client 1 
receives an automated response: “Denial of service. Please review the company IM policy.” 



Figure 2-2 IM Reflection with ProxySG fail close policy 



IM Reflection With A Hierarchy Of Proxies 

While the previous two sections document the conceptual fail open/ fail closed 
functionality, larger, more typical enterprise networks have users logging in 
through different primary ProxySG appliances. IM reflection involving clients in 
different buildings and even on different sites is still possible by using SOCKS 
and HTTP forwarding, policy, and an ProxySG hierarchy The following diagram 
illustrates IM processes with ProxySG proxy chaining and a combination of fail 
open/ fail closed policies. 



13 




Volume 3: Web Communication Proxies 




Legend 



A 



B 



BC_SG1 : Located in building 1 of the corporate campus; configured to fail open. 
BC_SG2: Located in building 2 of the corporate campus; configured to fail open. 
BC_SG3: Located in the IT lab of the corporate campus; configured to fail open. 
BC_SG4: Located in the IT lab of the corporate campus; configured to fail close. 
BC_SG5: Located at a branch location. 



A: IM client 1 — logged into BC_SG1. 

B: IM client 2 — logged into BC_SG2. 

C: IM client 3 — logged into BC_SG5. 

D: IM client 4 — off the corporate network. 
E: IM service provider. 

Process Flow 



1 : (Blue arrows) IM client 1 , a project manager, sends an IM directed to IM client 2, the QA lead: 
“Did you finish testing Project X?”. BC_SG1 directs the message to IM client 2 (BC_SG3 to 
BC_SG2), who is able to respond: “Yes. Testing is complete.” 

2: (Blue-dashed arrows) IM client 1 sends an IM directed to a sales manager (IM client 3): 
“Project X is complete.” BC_SG4 recognizes the destination as allowable, and IM client 
receives the message and is able respond: “Excellent. We we start announcing Project X.” 

3: (Red arrows) IM client 2 attempts to send an IM to a personal buddy. “We finally finished 
Project X.” BC_SG4, configured to fail close, does not allow the message to leave the network; 
IM client 2 receives an automated response: “Denial of service. Please review the company IM 
policy.” 



Figure 2-3 Proxy chaining deployment with fail open/fail closed policies. 



Configuring ProxySG IM Proxies 

This chapter contains the following sections: 

□ "Intercepting Default IM Services" on page 15 

□ "Redirecting IM Client Requests" on page 18 
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□ "The Default IM Hosts" on page 19 

□ "Handing Off Instant Messaging to HTTP" on page 20 

□ "Configuring IM Alerts" on page 20 

Intercepting Default IM Services 

This section describes how to configure the ProxySG to intercept the default IM 
service ports. 

Defaults: 

□ Proxy Edition: Upon upgrade and on new systems, the ProxySG has IM 
services configured for transparent connections on the following ports: 

• AOL-IM: 5190 

• MSN-IM: 1863 and 6891 

• Yahoo-IM: 5050 and 5101 

□ MACH5 Edition: IM services are not created and are not included in trend 
data. 

Notes: 

□ MSN port 1863 and Yahoo port 5050 are the default client login ports. MSN 
port 6891 and Yahoo port 5101 are the default for client-to-client direct 
connections and file transfers. If these ports are not enabled: 

□ Client-to-client direct connections do not occur. 

□ After a file transfer request is allowed by the ProxySG, the resulting data is 
sent directly from one client to another without passing through the ProxySG: 

• For MSN: The above bullet point only applies to MSN version previous to 
and including 6.0. Post-6.0 versions use a dynamic port for file transfers; 
therefore, port 6891 is not required for the ProxySG to intercept file 
transfers. 

• For Yahoo: The above bullet only applies to standard file transfer requests. 
Port 5101 must be enabled to allow file list requests. 



Note: All file transfers for AOL clients are handled through the default (5190) 
or specified client login port. 



By default, these services are configured be Transparent and in Bypass mode. The 
following procedure describes how to change them to Intercept mode, and 
explains other attributes within the service. 

To configure the IM proxies services attributes: 

1. From the Management Console, select Configuration > Services > Proxy Services. 
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Proxy Services Static Bypass List | Restricted Intercept List 




3 



2. Scroll the list of service groups and click Other to expand the services list. 

3. As you expand the services for AOL, MSN, and Yahoo, notice the Action for 
each default service is Bypass. Select Intercept from the drop-down list(s) for 
the IM services that apply in your enterprise. 

4. Click Apply. 

If you do not have custom IM service ports, proceed to "Redirecting IM Client 
Requests" on page 18. 

Creating New IM Services For Custom Ports 

If your enterprise requires you to intercept IM traffic on ports other than the 
defaults, you can create custom services. 

To create custom IM services: 

1. From the Management Console, select Configuration > Services > Proxy Services. 





SI ► MS SQL Server 
$ ► MySQL 


1 


New Service Group 1 1 New Service 

— 


1 


Import Service 


[ 


Preview || Apply || Revert 



2. At the bottom of the page, click New Service. The New Service dialog displays. 
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3. Configure the new service attributes: 

a. Name the service (tip: cannot use the default service name, such as 

AOL IM). 

b. From the Service Group drop-down list, select Other. 

c. From the Proxy drop-down list in the Proxy settings area, select the IM 
type for this service. 

d. In the Listeners area, click New. The New Listener dialog displays. 
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4. Configure the new listener options: 

a. In the Destination address area, select All unless you want to restrict the 
service to specific IP addresses and subnets. 

b. In the Port range field, enter the port number or range of ports that this 
service listens on. For example: 1800 - 1890 . 

c. Select Intercept. 

d. Click OK to close the dialog. 

5. Click OK to close the New Service dialog. 

6. Click Apply. 

Result: The IM service status appears in Management Console. 

Redirecting IM Client Requests 

The ProxySG is configured as an IM proxy that performs a DNS redirection for 
client requests. This provides greater control because it prevents IM clients from 
making outside connections. 

The IM clients provide the DNS lookup to the IM server, which the ProxySG DNS 
module uses to connect to the IM server. To the client, the ProxySG appears to be 
the IM server. A virtual IP address used only for IM must be configured, as it is 
used to represent the IM server address for all IM protocols. 

To configure DNS redirection for IM: 

1. Select to Configuration > Network > Advanced > VIPs. 
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23- 



Bypass List | WCCP VIPs Failover 

Virtual IPs: 



Add Virtual IP 






IP Address 



Virtual IP: 



10 1 1 9 o- 



2b 



OK Cancel 



2. Create a virtual IP address: 



a. Click New. The Add Virtual IP dialog appears. 

b. Enter a unique IP address (used only to represent IM connections). 

c. Click OK to add the VIP to the list. 



3. Click Apply. 

4. From the Management Console, select Configuration > Services > IM Proxies > IM 
Proxy Settings. 

5. In the General Settings field, select 
the VIP from the Explicit Proxy 
Virtual IP drop-down list. 

6. Click Apply 

Result: IM clients regard the ProxySG 
as the IM server. 

Remain on this screen and continue to the next section. 



IM Proxy Settings 


IM Alert Settings 


n Enable HTTP Handoff 




Explicit Proxy Virtual IP: 


None 




None 


r Protocol Settings 





The Default IM Hosts 

Each IM client has hard-coded IM hosts. The ProxySG displays these values on 
the Configuration > Services > IM Proxies > IM Proxy Settings tab, which vary in number 
and fields dependent upon the selected IM protocol. Do not alter these hosts 
unless the client experiences a hard-coded change. 
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Handing Off Instant Messaging to HTTP 

HTTP handoff allows the Blue Coat HTTP proxy to handle requests from 
supported IM protocols. If HTTP handoff is disabled, requests are passed 
through, and IM-specific policies are not applied. Enable HTTP handoff if you 
create and apply IM policy. 

To allow a specific IM client to connect using the HTTP protocol through the 
ProxySG and that IM protocol has not been licensed, disable HTTP handoff to 
allow the traffic to be treated as plain HTTP traffic and to avoid an error in the 
licensing check performed by the IM module. This might be also be necessary to 
temporarily pass through traffic from new versions of IM clients that are not yet 
supported by Blue Coat. 

To enable HTTP handoff: 

1. From the Management Console, select 

Proxy Settings. 

2. In the General Settings field, select 

Enable HTTP Handoff. 

3. Click Apply. 

Result: IM-specific policies are 
applicable on IM communications. 

Configuring IM Alerts 

A ProxySG IM alert is an IM message sent to clients upon an action triggered by 
policy. An IM alert contains two elements: 

□ Admin buddy names: You can assign an administrator buddy name for each 
client type. An administrator buddy name can be a registered name user 
handle or a fictitious handle. The benefit of using a registered name is that 
users can send IM messages to the administrator directly to report any issues, 
and that communication can be logged for tracking and record-keeping. By 
default, the ProxySG assigns each IM protocol the admin buddy name: Blue 
Coat ProxySG. 

□ Exception message delivery method: Alert messages can be delivered in the 
same window or spawn a new window. 

To configure IM alert components: 

1. From the Management Console, select Configuration > Services > IM Proxies > IM 
Alert Settings. 



Configuration > Services > IM Proxies > IM 



IM Proxy Settings IM Alert Settings 

General Settings 



[3 Enable hitTP Handoff: 

Explicit Proxy Virtual IP : 10 . 1,1.9 
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IM Proxy Settings IM Alert Settings 

Admin buddy names 



AOL admin buddy: Example Corp IT 



MSN admin buddy: Example Corp HR 



Yahoo admin buddy: Example Corp HR 



r Exception message delivery 



3a 



3b 



■o 







O Send exception messages in a separate window (out-of-band) 

® Send exception messages in the existing window (in-band) 

Some exception messages will appear to be sent by the buddy. 

Prefix these messages with the text below: 

"Inappropriate IM use. Refer to Employee Conduct Handbook concerning Internet usage." 
o 



2. In the Admin buddy names field, enter the handle or handles to represent the 
administrator. In this example, the company sanctions AOL Messenger as the 
one used for internal communications. IM alerts are sent from Example Corp IT. 
MSN and Yahoo are acceptable for personal use, but a created policy denies 
file transfers. Alerts are sent from Example Corp HR. 



3. Specify the exceptions message delivery method: 

a. Send exception messages in a separate window (out-of-band) — If an 

exception occurs, the user receives the message in a separate IM 
window. 

b. Send exception messages in the existing window (in-band) — If an exception 
occurs, the message appears in the same IM window. The message 
appears to be sent by the buddy on the other end, with the exception 
that when in a chat room, the message always appears to be sent by 
the configured Admin buddy name. You can enter a prefix message 
that appears in the client window before the message. For example: 
Inappropriate IM use. Refer to Employee Conduct Handbook concerning Internet 
usage. 



Note: Regardless of the IM exception delivery configuration, IM alert 
messages triggered by policy based on certain protocol methods are 
always sent out-of-band because a specific buddy is not associated. 



4. Click Apply. 

ProxySG IM proxy configuration is complete. The final step is to configure IM 
clients to send traffic to the ProxySG. 

Configuring IM Clients 

This section describes how to configure the IM clients to send traffic through the 
ProxySG. 
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General Configuration 

As each IM client has different menu structures, the procedures to configure them 
differ. This section provides the generic tasks that need to be completed. 

Explicit Proxy 

Perform the following tasks on the IM client: 

1. Navigate to the Connection Preferences dialog. 

2. Select Use Proxies. 

3. Select proxy type as SOCKS V5. 

4. Enter the ProxySG IP address. 

5. Enter the SOCKS port number; the default is 1080. 

6. Enter authentication information, if required. 

Transparent Proxy 

IM clients do not require any configuration changes for transparent proxy. An L4 
switch or inline ProxySG routes the traffic. 

AOL Messenger Client Explicit Proxy Configuration 

The following example configures a Yahoo Messenger client for explicit proxy. 
Note: This example uses AOL Messenger 5.9. Other versions might vary. 

1. Select My AIM > Edit Options > Edit Preferences. 
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Navigate to Connection Preferences: 

a. Select Sign On/Off. 

b. Click Connection. 



3. Configure the proxy settings: 

a. Select Connect using proxy. 

b. In the Host field, enter the ProxySG IP address. If the default port is 
1080, accept it; if not, change it to port 1080. 

c. Select SOCKS 5. 

d. If authentication is required on the ProxySG, enter the authentication 
user name and password. 

e. Click OK to close the Connections Preferences dialog. 

4. Click OK to close the Preferences dialog. Result: the AOL client now sends 
traffic to the ProxySG. 



MSN Messenger Client Explicit Proxy Configuration 

The following example configures a Yahoo Messenger client for explicit proxy. 



Note: This example uses MSN Messenger 7.5. Other versions might vary. 



1. From MSN Messenger, select Tools > Options. 
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2. Navigate to Settings: 

a. Click Connection. 

b. Click Advanced Settings. The Settings dialog appears. 

3. Configure the proxy settings: 

a. In the SOCKS field, enter the ProxySG IP address. If the default port is 
1080, accept it; if not, change it to port 1080. 

b. If authentication is required on the ProxySG, enter the authentication 
user name and password. 

c. Click OK. 

4. Click OK to close the Options dialog. Result: the MSN client now sends traffic to 
the ProxySG. 

Yahoo Messenger Client Explicit Proxy Configuration 

The following example configures a Yahoo Messenger client for explicit proxy. 
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Note: This example uses Yahoo Messenger 7.0. Other versions might vary. 



1. From Yahoo Messenger, select Messenger > Preferences. 




2b 



2a 



2d 



2c 



2e 



2f 



2. Configure the following features: 

a. Click Connection. 

b. Select Use proxies. 

c. Select Enable SOCKS proxy; select Ver 5. 

d. Enter the ProxySG IP address. If the default port is 1080, accept it; if 
not, change it to port 1080. 

e. If authentication is required on the ProxySG, enter the authentication 
user name and password. 

f. Click Apply and OK. Result: the Yahoo client now sends traffic to the 
ProxySG. 

Notes 

If Yahoo Messenger is configured for explicit proxy (SOCKS) through the 
ProxySG, the IM voice chat feature is disabled. Any client attempting a voice chat 
with a client behind the ProxySG firewall receives an error message. The voice 
data stream is carried by default on port 5001; therefore, you can create and open 
this port and configure Yahoo IM to use transparent proxy. However, the 
ProxySG only supports the voice data in pass-through mode. 
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Policy Examples 

After the IM clients are configured to send traffic through the ProxySG, you can 
control and limit IM activity The Visual Policy Manager (VPM) allows you to 
create rules that control and track IM communications, including IM activities 
based on users and groups, IM handle, chat room handle, file name, and other 
triggers. 

To learn about the VPM, refer to Volume 6: The Visual Policy Manager and Advanced 
Policy. 

Example 1: File Transfer 

The following example demonstrates an IM rule created with the VPM that IM 
handle Nigell can perform a file transfer at any time, but the file must be between 
1 and 5 MB in size, and the handle, the file path, and file size are logged. 



2a 



2b 



File Editp^Policy Configuration View Help 




i Delete Rule 



^ Move Up 



fr Move Down 



IM_File_Transfer 
No. Source 

ciE 



Destination Service Time Action 

|Any |Any |Any |Q Deny 



Track 

None 



Existing Source Objects 

Show 



* 



All (sort by object-name) 



pj Authenticated User 



a? Client Hostname Unavailable 
sfl Streaming Client 



Add IM User Object 



IM User: Nigell 



2c 



OK 



Cancel 



c= ■ New.. 



OK 



Cancel 



Edit.. 



Help 



1. In the VPM, select Policy > Add Web Access Layer; name it IM_File_Transfer. 

2. Create a new IM user object: 



a. Right-click the Source field; select Set. The Set Source Object dialog 
appears. 

b. Click New; select IM User. The Add IM User Object dialog appears. 

c. In the IM User field, enter Nigell; click OK in each dialog. 
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3. Create a File Transfer object: 

a. Right-click the Service field; select Set. The Set Service Object dialog 
appears. 

b. Click New; select IM File Transfer. The Add IM File Transfer dialog 
appears. 

c. Select Size and enter a range 1 and 5. 

d. Select MBytes from the drop-down list; click OK in each dialog. 

4. Right-click the Track field; select Set. The Add Track Object dialog appears. 

5. Click New; select Event Log. The Add Event Log Object dialog appears. 
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6 



6. From the Substitution Variables list, select x-im-buddy-name and click insert. 
Repeat for x-im-file-path and x-im-file-size. Click OK in each dialog. 




7. In the VPM, click Install Policy. 

Example 2: Send an IM Alert Message 

The following example demonstrates a rule created with the VPM that informs all 
IM users when they login that their IM activity is tracked and logged. 

1. In the VPM, select Policy > Add Web Access Layer; name it IM_NotifyMessage. 

2. Right-click the Service field; select Set. The Set Service Object dialog appears. 

3. Click New; select Protocol Methods. The Add Methods Object dialog appears. 
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4. Configure protocol method options: 

a. From the Protocol drop-down list, select Instant Messaging. 

b. Click Login/Logout; LOGIN; click OK to close the dialog; click OK to 
insert the object in the rule. 

c. Click OK in each dialog. 

5. Right-click the Action field; select Set. The Set Action Object dialog appears. 

6. Click New; select Send IM Alert. The Add Send IM Alert Object dialog appears. 




7. In the Alert Text field, enter a message that appears to users. For example. 

Employee notice: Your Instant Messaging activity is tracked and logged. 

8. Click OK to close the dialog; click OK to insert the object in the rule. 

9. Click Install Policy. 

Reference: Equivalent IM CLI Commands 

The configuration tasks describes in this chapter can also be accomplished 
through the ProxySG CLI. The following are the equivalent CLI command 
syntaxes: 
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□ To enter configuration mode: 

SGOS# (config) proxy- services 

SGOS# (config proxy-services) create {aol-im | msn-im | yahoo-im} 
service name 

□ The following submodes are available: 



SGOS# (config proxy-services) edit service-name 

SGOS# (config service-name) add all | ipaddress | ip_addres s / subnet- 
mask} { port | first_port-last_port } [intercept | bypass] 

SGOS# (config service-name) attribute ref lect-client-ip {enable | 
disable } 

SGOS# (config service-name ) bypass all | ipaddress | ipaddress/ 
subnet-mask} { port \ first_port-last_port } 

SGOS# (config service-name ) exit 

SGOS# (config service-name ) intercept all | ipaddress | ip_address/ 
subnet-mask] {port | first_port-last_port} 

SGOS# (config service-name) remove all | ipaddress | ip_address/ 
subnet-mask } {port | first_port-last_port} 

SGOS# (config service-name) view 



Reference: Access Log Fields 

The default Blue Coat IM fields are (only IM-specific or relative are listed and 
described): 

□ cs-protocoi: Protocol used in the client's request. 

□ x-im-method: The method associated with the instant message. 

□ x-im-user-id: Instant messaging user identifier. 

□ x-im-user-name: Display name of the client. 

□ x-im-user-state: Instant messaging user state. 

□ x-im-client-info: The instant messaging client information. 

□ x-im-buddy-id: Instant messaging buddy ID. 

□ x-im-buddy-name: Instant messaging buddy display name. 

□ x-im-buddy-state: Instant messaging buddy state 

□ x-im- chat -room- id: Instant messaging identifier of the chat room in use. 

□ x-im-chat-room-type: The chat room type, one of public or public, and possibly 
invite_only, voice and/ or conference. 

□ x-im- chat-room-members: The list of chat room member IDs. 

□ x-im-message-text: Text of the instant message. 

□ x-im-message-size: Length of the instant message 

□ x-im-message-route: The route of the instance message. 

□ x-im-message-type: The type of the instant message. 

□ x-im-f ile-path: Path of the file associated with an instant message. 
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□ x-im-f ile-size: Size of the file (in...?) associated with an instant message. 

Reference: CPL Triggers, Properties, and Actions 

The following Blue Coat CPL is supported for IM: 

Triggers 

□ im.buddy= 

□ im. chat_room. conference= 

□ im.chat room.id= 

□ im.chat room. invite only= 

□ im.chat room.type= 

□ im.chat room.member= 

□ im. chat_room. voice_enabled= 

□ im.client= 

□ im. file . extension= 

□ im. file . name= 

□ im. file . path= 

□ im. file . size= 

□ im. message . opcode= 

□ im. message . ref lected= 

□ im. message . route= 

□ im. message . size= 

□ im. message . text= 

□ im. message . type= 

□ im.method= 

□ im. user_agent= 

□ im.user id= 

Properties and Actions 

□ im. block_encryptions ( ) 

□ im. reflect ( ) 

□ im. strip_attachments ( ) 

□ im. transport ( ) 

□ im. alert ( ) 

IM History Statistics 

The IM statistics allow you to track IM connections, file transfers, and messages 
that are currently in use and in total, or have been allowed and denied. The 
information can be displayed for each IM client type or combined. 

IM Connection Data Tab 

The following IM Connection Data statistics indicate current and overall 
connection data since the last statistics clear: 
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□ Native Clients — The number of native IM clients connected. 

□ HTTP Clients — The number of HTTP IM clients connected. 

□ Chat Sessions — The number of IM chats occurring. 

□ Direct IM Sessions — The number of chats using direct connections. 

□ File Transfers — The number of file transfers sent through IM clients. 

To view the connection data statistics: 

1. Select Statistics > Protocol Details > IM History > IM Connection Data. 




2. The default protocol is All. To select a specific protocol, select AOL, MSN, or 
Yahoo from the drop-down list. 

IM Activity Data Tab 

The following IM Activity Data statistics indicate allowed and denied connections 
since the last statistics clear: 

□ Logins — The number of times IM clients have logged in. 

□ Messages — The number of IM messages. 

□ File Transfers — The number of file transfers sent through IM clients. 

□ Voice Chats — The number of voice conversations through IM clients. 

□ Messages — The number of IM messages reflected or not reflected (if IM 
Reflection policy is enabled). 



Note: The IM activity data statistics are available only through the Management 
Console. 



To view the activity data statistics: 

1. Select Statistics > Protocol Details > IM History > IM Activity Data. 



32 




Chapter 2: Managing Instant Messaging Protocols 



Statistics 



Health: OK 
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Traffic History 
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Voice Chats: 


0 

Reflected 


0 

Not Reflected 


Messages: 


0 
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Help 



2. The default protocol is All. To select a specific protocol, select AOL, MSN, or 
Yahoo from the drop-down list. 



IM Clients Tab 

The IM Clients tab displays dynamic graphical statistics for connections over 60 
minutes, 24 hours and 30 days. The page displays all values in the graph or clip a 
percentage of peak values. When peak values are clipped by a percentage, that 
percentage is allowed to fall off the top of the scale. 

For example, if you clip 25% of the peaks, the top 25% of the values are allowed to 
exceed the scale for the graph, showing greater detail for the remaining 75% of the 
values. 

Move the cursor over the graphs to dynamically display the color-coded AOL, 
MSN, Yahoo, and total statistics. 



Note: The IM clients statistics are available only through the Management 
Console. 



To view the client connection statistics: 

1. Select Statistics > Protocol Details > IM History > IM Clients. 
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Statistics 



Health: OK 



Traffic Mix 
Traffic History 
ADN History 
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Duration: Last Hour v | 




2. Select the Duration: for which the graph displays. The default is last hour. You 
can select from last hour, last day, last month and all periods. 

3. (Optional) To set the graph scale to a different value, select a value from the 

Graph scale should drop-down list. 
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This chapter describes how to manage streaming content on the enterprise 

network through the ProxySG streaming proxies. 

Topics of this Chapter 

This chapter includes information about the following topics: 

□ Section A: "Concepts: Streaming Media" on page 36 — Explain general 
streaming solution concepts and terminology, as well as ProxySG streaming 
solution concepts and functionality 

□ Section B: "Configuring Streaming Media" on page 51 — Provides 
procedures for configuring the ProxySG to manage streaming media 
applications and bandwidth. 

□ Section C: "Additional Windows Media Configuration Tasks" on page 65 — 
Provides additional procedures for configuring Windows Media. 

□ Section D: "Configuring Windows Media Player" on page 75 — Explains 

□ how to configure the Windows Media client and describes associated 
interactivities and access log conventions. 

□ Section E: "Configuring RealPlayer" on page 79 — Explains how to configure 
the Real Media client. 

□ Section F: "Configuring QuickTime Player" on page 83 — Describes how to 
configure the QuickTime client. 

□ Section G: "Supported Streaming Media Clients and Protocols" on page 
84 — Describes the vendor-specific streaming protocols supported by the 
ProxySG. 
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Section A: Concepts: Streaming Media 

Section A: Concepts: Streaming Media 

This section contains the following topics: 

□ "How the ProxySG Accelerates and Controls Media Streaming" on page 36 

□ "What is Streaming Media?" on page 36 

□ "About Windows Media" on page 37 

□ "About Processing Streaming Media Content" on page 41 

□ "About Streaming Media Authentication" on page 48 

How the ProxySG Accelerates and Controls Media Streaming 

The ProxySG streaming media proxies allow you to monitor, control, limit, or 
even block streaming media traffic on your network. Using the ProxySG for 
streaming delivery improves the quality of streaming media, reducing stutter and 
static. It supports the most popular streaming media clients: Windows Media, 
Real Media, and QuickTime. 

ProxySG supports a variety of acceleration, control, and visibility features for 
streaming media. It provides acceleration features such as live splitting, video-on- 
demand caching, content prepopulation, and multicasting. It also offers control 
and visibility features such as fine-grained policy control including 
authentication, bandwidth limiting, access logging, and limiting the maximum 
user connections. ProxySG supports all the delivery methods supported by the 
client applications: TCP and UDP for unicast, HTTP, and multicast. 

For example, ProxySG's pre-population process can deliver on-demand videos to 
branch offices during off-hours and save them for future viewing. ProxySG 
appliances can also cache or save video requested from the headquarters location 
by a user in a branch office and store it locally for use by subsequent viewers. In 
the case of live video broadcasts, ProxySG appliances can take a single stream of 
video and then split it locally into enough streams to serve all local viewers; this is 
called live splitting. The appliance's ability to identify individual users also 
enables the company to track which employees have watched required videos. 

What is Streaming Media? 

Streaming media is a term used to describe media files that are served in discrete 
paced individual packets rather than in bulk, playing while they are being 
transmitted over the network to the media player on the client computer. In 
contrast, conventional Web files, which are downloaded through a file transfer, 
must be downloaded entirely before the user can view them. Commonly 
requested types of streaming media are video and audio. Streaming media also 
includes interactive media, cartoon-like animations, panoramic data, and more. 

Live versus On-Demand Streaming Media 

Streaming media is delivered in the following ways: 
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□ Live media streams Live media streams occur in real time, like the news 
program that you watch on your television set. Some organizations record a 
live media stream and then broadcast the media stream to their employees or 
customers at a specified time. All users who have requested the media stream 
see the same media stream at the same time. Users are not able to rewind or 
fast-forward the media stream. 

□ On-demand (previously-recorded) media streams Users can request these 
on-demand media streams at a time most convenient to them. Users can 
pause the media, seek to a different position, rewind, and fast-forward on- 
demand media streams. On-demand streaming content is commonly referred 
to as VOD (vide-on-demand). 

ProxySG supports both of these types of streaming media. 

Streaming Media and Bandwidth 

Video, audio, and other streaming media use a considerable amount of 
bandwidth — much more than the amount of bandwidth needed for Web and 
news traffic. For example, a media stream could require 10 KB each second, 
whereas a Web page that the user views for 10 seconds could require 10 KB. 

In the typical streaming server-client model, the streaming server sends a 
separate copy of the media stream to each client that requested the same unique 
stream. Because streaming media uses a considerable amount of bandwidth, 
delivering multiple copies of the same media data between the streaming server 
and the clients can cause significant network and server congestion. The more 
clients that request the same media stream, the more bandwidth is used. 

Planning for efficient bandwidth use is important for streaming media because 
bandwidth use has a direct correspondence to the quality of the media streams 
that are delivered to the clients. If your network is congested, your users are likely 
to experience problems such as jagged video, patchy audio, and unsynchronized 
video and audio as packets are dropped or arrive late. Conversely, the more 
bandwidth that is available, the better the quality of media streams. 

The ProxySG has several methods for allocating bandwidth to streaming media 
traffic. See "Limiting Bandwidth" on page 43. 

About Windows Media 

For heightened security and control, some enterprises prefer network 
environments that restrict Web traffic access (gateway connections) to port 80. 
Furthermore, beginning with Windows Media Player (WMP) version 11, WMP 
clients do not use the Microsoft Media Services (MMS) protocol — opting instead 
for traffic over HTTP and the Real Time Streaming Protocol (RTSP). 

Windows Media streaming over HTTP differs slightly from downloading 
Windows Media objects over HTTP, which can be stored on any Web server. 
Streaming content, however, must be hosted on Windows Media Servers that 
allow the streaming of content over port 80. 
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Beginning in version 5.3, SGOS offers unified support for WM content delivered 
over RTSP and HTTP. The ProxySG HTTP proxy hands off Windows Media 
Player HTTP streaming requests to the Windows Media HTTP Module, which 
itself is a component of the Windows Media RTSP Proxy. 

The ProxySG supports the caching of WM content over the RTSP and HTTP 
protocols. The ProxySG uses the same object cache, which means the content can 
be served over RTSP and HTTP protocols. WM-HTTP and WM-RTSP both share 
the same cache. 

Live splitting is also supported over both protocols, where all RTSP clients are 
served by an RTSP splitter and all HTTP clients are served by a separate HTTP 
splitter, involving two separate live streams to the server, one each for RTSP and 
HTTP. 

Pre-Populating WM Objects Hosted on a Web Server 

SGOS 5.3 also supports pre-population of WM content from a Web server for the 
subsequent serving of RTSP and HTTP streaming requests for the content from 
the cache. This feature is in addition to the already existing support for pre- 
population of WM content from a WM server using the RTSP protocol. Existing 
content CLI commands can be used for this feature. 

For example: 

content distribute rtsp : // wm server/bar . wmv from http : //web server/ 
bar . wmv 



Note: In the example above, rtsp : //wm server/bar . wmv should also be accessible 

as a streaming object on a streaming server. 



Windows Media Deployment 

In a Gateway Proxy deployment, the ProxySG supports the caching and splitting 
of WM content over the RTSP and HTTP protocols. In addition, there are 
streaming-specific acceleration and policy checks for WM HTTP streaming traffic. 

In a Reverse Proxy deployment, the ProxySG can function as a Windows Media 
server, with WM content delivered over the RTSP and HTTP protocols. 

As a Content Delivery Network (CDN) node, the ProxySG supports a shared 
cache for pre-populated content for delivery over RTSP or HTTP protocols. 

Deployment action: Windows Media clients must be configured to enable the 
HTTP protocol to stream the WM content using HTTP protocol. Similarly, WM 
clients must be configured to enable RTSP/TCP, and/or RTSP/UDP protocols to 
stream WM content using RTSP protocol. 



Supported Streaming Features 

The following table describes the supported Windows Media streaming features. 
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Live Support 



Table 3-1 Windows Media live streaming feature support 



Feature 


Live Support 


Multi-Bit Rate and Thinning 


Yes 


UDP Retransmission 


No 


Server-Side Playlists 


Yes 


Stream Change 


Yes 


Splitting Server- Authenticated Data 


Yes 


Splitting Proxy- Authenticated Data 


Yes 



On-Demand Support 



Table 3-2 Windows Media on-demand streaming feature support 



Feature 


On-Demand Support 


Multi-Bit Rate and Thinning 


Yes 


Fast Forward and Rewind 


No Caching 


Fast Streaming 


Yes 


UDP Retransmission 


No 


Server-Side Playlists 


No Caching 


Stream Change 


No 


Caching Server- Authenticated Data 


Yes 


Caching Proxy-Authenticated Data 


Yes 


Adherence to RTSP Cache Directives 


Yes 


Partial File Caching 


Yes 


File Invalidation/Freshness checking for 
Cached Files 


Yes 



Multicast Support 



Table 3-3 Windows Media Multicast UDP streaming feature support 



Feature 


Multicast 


Multi-Bit Rate and Thinning 


Yes 


Server-Side Playlists 


No 


Stream Change 


No 
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Table 3-3 Windows Media Multicast UDP streaming feature support (Continued) 



Feature 


Multicast 


Multicasting Server-Authenticated Data 


No 


Multicasting Proxy- Authenticated Data 


No 



Other Supported Features 

The Windows Media streaming feature also supports the following features: 

□ Access logging for unicast clients 

□ Summary statistics in the Management Console 

□ Detailed statistics 

□ Forwarding of client streaming logs to origin servers. 

Supported VPM Properties and Actions 

Windows Media supports the following policy properties and actions: 

□ allow, deny, force_deny 

□ access server (yes | no) . Forces the ProxySG to deliver content only from the 
cache. Requests for live streams are denied. 

□ authenticate (realm) 

□ forward (alias_list I no) 

□ forward . fail_open ( yes | no ) 

□ ref lect_ip (auto | no | client | vip | <ip address>) 

□ bypass cache (yes | no) . Forces the ProxySG to deliver content in pass-through 
mode. 

□ limit_bandwidth ( ) 

□ rewrite ( ) . One-way URL rewrite of server-side URLs is supported. 

Windows Media also supports the following streaming-relevant properties: 

□ max titrate (bitrate | no) . Sets the maximum bit rate that can be served to the 
client. (This property does not apply to the bit rate consumed on the gateway 
connection.) If the bit rate of a client-side session exceeds the maximum bit 
rate set by policy, that client session is denied. 

□ force cache (yes | no) . Causes the ProxySG to ignore cache directives and 
cache VOD content while serving it to clients. 



Note: Windows Media does not support policy-based streaming transport 
selection. 
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Bandwidth Management 

Windows Media supports bandwidth management for both client-side and 
gateway-side streaming traffic. Bandwidth limits are also be supported for pass- 
through streams. See "Limiting Bandwidth" on page 43 for more information. 

About Processing Streaming Media Content 

The following sections describe how the ProxySG processes, stores, and serves 
streaming media requests. Using the ProxySG for streaming delivery minimizes 
bandwidth use by allowing the ProxySG to handle the broadcast and allows for 
policy enforcement over streaming use. The delivery method depends on whether 
the content is live or video-on-demand. 

Delivery Methods 

The ProxySG supports the following streaming delivery methods: 

□ Unicast — A one-to-one transmission, where each client connects individually 
to the source, and a separate copy of data is delivered from the source to each 
client that requests it. Unicast supports both TCP- and UDP-based protocols. 
The majority of streaming media traffic on the Internet is unicast. 

□ Multicast — Allows efficient delivery of streaming content to a large number of 
users. Multicast enables hundreds or thousands of clients to play a single 
stream, thus minimizing bandwidth use. 

The following table provides a high-level comparison of unicast and multicast 
transmission. 

Table 3-4 Unicast vs. Multicast 



Element 


Unicast 


Multicast 


Connections 


One-to-one transmission 


One-to-many transmission 


Transport 


TCP, UDP, HTTP 


IP multicast channel 


Type of stream 


Video-on-demand or live 
streams 


Live streams only 


Device requirement 


The network devices use 
unicast. 


The network devices must 
support multicast (not all 
do). 



Serving Content: Live Unicast 

A live broadcast can either be truly live or can be of prerecorded content. A 
common example is a company president making a speech to all employees. 

A ProxySG can serve many clients through one unicast connection by receiving 
the content from the origin content server (OCS) and then splitting that stream to 
the clients that request it. This method saves server-side bandwidth and reduces 
the server load. 
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Note that you cannot pause or rewind live broadcasts. 

Serving Content: Video-on-Demand Unicast 

Video-on-demand (VOD) is a service in which individuals can select 
programming from a central information bank, allowing a movie or film clip to be 
broadcasted immediately when requested. Common examples of VOD include 
training videos or news broadcasts. 

A ProxySG stores frequently requested data and distributes it upon client 
requests. Because the ProxySG is closer to the client than the origin server, the 
data is served locally, which saves firewall bandwidth and increases quality of 
service by reducing pauses or buffering during playback. Because of its proximity 
to the end user, the ProxySG provides higher quality streams (also dependent on 
the client connection rate) than the origin server. 

Note that VOD content can be paused, rewound, and played back. 

Serving Content: Multicast Streaming 

Multicast transmission is analogous to a radio frequency on which any device can 
listen. Any device that supports multicast can transmit on the multicast channel. 
One copy of the data is sent to a group address. Devices in the group listen for 
traffic at the group address and join the stream if clients in the routing tree are 
requesting the stream. Only the group participants receive the traffic at the 
address associated with the group. Broadcasts differ from multicast because 
broadcast traffic is sent to the entire network. 

For multicast transmission to occur, the network devices through which the 
content is to be sent must support multicast. In particular: 

□ Content creators must explicitly set up their streaming servers to support 
multicast. 

For example, for Windows Media, content creators can set up multicast- 
enabled stations, stations that are not multicast-enabled, or both. For 
RealNetworks, the configuration of the server includes specifying whether the 
server supports multicast and, if so, which clients (subnets) can use multicast. 

□ Routers on the path must support multicast. 

□ Clients must request a multicast transmission. Media players that are set for 
multicast transmission simply join the multicast channel to receive the 
streaming data, sometimes without establishing an explicit one-to-one 
connection to the device sending the transmission. 

Benefits of Multicast 

The benefits of using multicast for streaming media include the following: 

□ It alleviates network congestion. 



42 



Chapter 3: Managing Streaming Media 



Section A: Concepts: Streaming Media 

□ For live streaming events that have a large audience, multicast significantly 
reduces network traffic compared to the traffic that would result from 
transmitting the same live event over unicast. If unicast transport is used, the 
same content must be sent across the network multiple times or it must be 
broadcast to all devices on the network. 

□ It scales well as the number of participants expand. 

□ It is well suited for efficient transmission over satellite links. 

A company might, for example want to reserve WAN connections for 
business-critical traffic, such as stock trades, but it needs a way to deliver 
corporate broadcasts. The company could efficiently transmit corporate 
broadcasts over satellite by using multicast transmission and reserve the 
WAN for business-critical traffic. 

□ It enables network planners to proactively manage network growth and 
control cost because deploying multicast is more cost-effective than 
alternatives for increasing LAN and WAN capabilities. 

Limitations of Multicast 

The limitations of multicast include the following: 

□ In general, multicast support is not yet available on the Internet. Therefore, 
using multicast to deliver content is limited to intranet-style deployments. 

□ Not all networking equipment supports multicasting. In addition, not all 
network administrators enable the multicast functionality on their networking 
equipment. 

□ Switches do not understand multicast. When a multicast stream reaches a 
switch, the switch sends the multicast stream to all of its ports. A switch treats 
a multicast address as an Ethernet broadcast. 

About Serving Multicast Content 

The ProxySG takes a multicast stream from the origin server and delivers it as a 
unicast stream. This avoids the main disadvantage of multicasting — that all of the 
routers on the network must be multicast-enabled to accept a multicast stream. 
Unicast-to-multicast, multicast-to-multicast, and broadcast alias-(scheduled live 
from stored content)-to-multicast are also supported. 

For Windows Media multicast, a Windows Media Station file (.nsc) is 
downloaded through HTTP to acquire the control information required to set up 
content delivery. 

For Real Media, multicasting maintains a TCP control (accounting) channel 
between the client and media server. The multicast data stream is broadcast using 
UDP from the ProxySG to streaming clients, who join the multicast. 

Limiting Bandwidth 

The following sections describe how to configure the ProxySG to limit global and 
protocol-specific media bandwidth. 
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To manage streaming media bandwidth, you configure the ProxySG to restrict the 
total number of bits per second the appliance receives from the origin media 
servers and delivers to clients. The configuration options are flexible to allow you 
to configure streaming bandwidth limits for the ProxySG, as well as for each 
streaming protocol (Windows Media, Real Media, and QuickTime). 



Note: Bandwidth claimed by HTTP, non-streaming protocols, and network 
infrastructure is not constrained by this limit. Transient bursts that occur on the 
network can exceed the hard limits established by the bandwidth limit options. 



After it has been configured, the ProxySG limits streaming access to the specified 
threshold. If a client tries to make a request after a limit has been reached, the 
client receives an error message. 



Note: If a maximum bandwidth limitation has been specified for the ProxySG, 
the following condition can occur. If a Real Media client, followed by a Windows 
Media client, requests streams through the same ProxySG and total bandwidth 
exceeds the maximum allowance, the Real Media client enters the rebuffering 
state. The Windows Media client continues to stream. 



Consider the following features when planning to limit streaming media 
bandwidth: 

□ ProxySG to server (all protocols) — The total kilobits per second allowed 
between the appliance and any origin content server or upstream proxy for all 
streaming protocols. Setting this option to 0 effectively prevents the ProxySG 
from initiating any connections to the media server. The ProxySG supports 
partial caching in that no bandwidth is consumed if portions of the media 
content are stored in the ProxySG. 

Limiting ProxySG bandwidth restricts the following streaming media-related 
functions: 

• Live streaming, where the proxy requests from the server, the sum of all 
unique bit rates requested by the clients 

• The ability to fetch new data for an object that is partially cached 

• Reception of multicast streams 

□ Client to ProxySG (all protocols) — The total kilobits per second allowed 
between streaming clients and the ProxySG. Setting this option to 0 effectively 
prevents any streaming clients from initiating connections through the 
ProxySG. 

Limiting client bandwidth restricts the following streaming media-related 
functions: 

• MBR support; when lower bit-rate selection by the client could have 
allowed the client to stream, the client is denied when the bandwidth limit 
is exceeded 
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• Limits the transmission of multicast streams 

□ Client connections — The total number of clients that can connect concurrently. 
When this limit is reached, clients attempting to connect receive an error 
message and are not allowed to connect until other clients disconnect. Setting 
this variable to 0 effectively prevents any streaming media clients from 
connecting. 

Selecting a Method to Limit Streaming Bandwidth 

The ProxySG offers two methods for controlling streaming bandwidth. The way 
that each method controls bandwidth differs — read the information below to 
decide which method best suits your deployment requirements. 

Limiting streaming bandwidth using the streaming features (described in this 
chapter) works as follows: if a new stream comes in that pushes above the 
specified bandwidth limit, that new stream is denied. This method allows existing 
streams to continue to get the same level of quality they currently receive. 

The alternate way of limiting streaming bandwidth is with the bandwidth 
management feature. With this technique, all streaming traffic for which you have 
configured a bandwidth limit shares that limit. If a new stream comes in that 
pushes above the specified bandwidth limit, that stream is allowed, and the 
amount of bandwidth available for existing streams is reduced. This causes 
streaming players to drop to a lower bandwidth version of the stream. If a lower 
bandwidth version of the stream is not available, players that are not receiving 
enough bandwidth can behave in an unpredictable fashion. In other words, if the 
amount of bandwidth is insufficient to service all of the streams, some or all of the 
media players experience a reduction in stream quality. For details, see Volume 6: 
Advanced Networking. 

Because of the degradation in quality of service, for most circumstances. Blue 
Coat recommends that you use the streaming features to control streaming 
bandwidth rather than the bandwidth management features. Do not use both 
methods at the same time. 

Caching Behavior: Protocol Specific 

This section describes the type of content the ProxySG caches for each supported 
protocol. 

Windows Media 

The ProxySG caches Windows Media-encoded video and audio files. The 
standard extensions for these file types are: .wmv, .wma, and .asf. 

Real Media 

The ProxySG caches Real Media-encoded files, such as RealVideo and RealAudio. 
The standard extensions for these file types are: . ra, . rm, and . rmvb. Other content 
served from a Real Media server through RTSP is also supported, but it is not 
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cached. This content is served in pass-through mode only. (Pass-through mode 
offers application, layer-7 proxy functionality, but does not support acceleration 
features — caching, pre-population, splitting, and multi-casting.) 

QuickTime 

The ProxySG does not cache QuickTime content (.mov files). All QuickTime 
content is served in pass-through mode only. 

Caching Behavior: Video-on-Demand 

The ProxySG supports the caching of files for VOD streaming. First, the client 
connects to the ProxySG, which in turn connects to the origin server and pulls the 
content, storing it locally. Subsequent requests of this same content are served 
from the ProxySG. This provides bandwidth savings, as every hit to the ProxySG 
means less network traffic. Blue Coat also supports partial caching of streams. 



Note: On-demand files must be unicast. 



Splitting Behavior: Live Broadcast 

The ProxySG supports splitting of live content, but behavior varies depending 
upon the media type. 

For live streams, the ProxySG can split streams for clients that request the same 
stream. First, the client connects to the ProxySG, which then connects to the origin 
server and requests the live stream. Subsequent requests of the same content from 
different clients are split from the appliance. 

Two streams are considered identical by the ProxySG if they share the following 
characteristics: 

□ The stream is a live or broadcast stream. 

□ The URL of the stream requested by client is identical. 

□ MMS (Microsoft Media Services), MMSU (MMS UDP), and MMST (MMS 
TCP) are considered to be identical. 

Splitting of live unicast streams provides bandwidth savings, since subsequent 
requests do not increase network traffic. 

Multiple Bit Rate Support 

Content authors normally encode streaming media content into different bit rates 
to meet the needs of the different speeds of Internet access — modem, ISDN, DSL, 
and LAN. In contrast, the delivery bit rate is the actual speed at which the content 
is delivered to the client. For example, a stream encoded for playback at 56Kbps 
must be delivered to clients at a bit rate of 56Kbps or higher. A client with enough 
bandwidth might ask the streaming server to send the 56Kbps encoded stream at 
220Kbps; the data is buffered locally and played back at 56Kbps. The playback 
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experience of 56Kbps stream delivered at 220Kbps would be better at 220Kbps 
than at 56Kbps. The reason is that more time is available for the client to request 
packets to be retransmitted if packets are dropped. 

The ProxySG supports multiple bit rate (MBR), which is the capability of a single 
stream to deliver multiple bit rates to clients requesting content from caches from 
within varying levels of network conditions (such as different connecting 
bandwidths and varying levels of competing traffic). This allows the ProxySG and 
the client to negotiate the optimal stream quality for the available bandwidth even 
when the network conditions are bad. MBR increases client-side streaming 
quality, especially when the requested content is not cached. 

The ProxySG caches only the requested bit rate. For example, a media client that 
requests a 50Kbps stream receives that stream, and the ProxySG caches only the 
50Kbps bit rate content, no other rate. 

Bit Rate Thinning 

Thinning support is closely related to MBR, but thinning allows for data rate 
optimizations even for single data-rate media files. If the media client detects that 
there is network congestion, it requests a subset of the single data rate stream. For 
example, depending on how congested the network is, the client requests only the 
key video frames or audio-only instead of the complete video stream. 

Pre-Populating Content 

The ProxySG supports pre-population of streaming files from both HTTP (Web) 
servers and origin content servers (that is, streaming servers). Downloading 
streaming files from HTTP servers reduces the time required to pre-populate the 
file. 



Note: QuickTime content is not supported. 



Pre-population can be accomplished through streaming from the media server. 
The required download time is equivalent to the file length; for example, a two- 
hour movie requires two hours to download. Now, if the media file is hosted on 
an HTTP server, the download time occurs at normal transfer speeds of an HTTP 
object, and is independent of the play length of the media file. 



Note: Content must be hosted on an HTTP server in addition to the media server. 



Using the content distribute CLI command, content is downloaded from the 
HTTP server and renamed with a given URL argument. A client requesting the 
content perceives that the file originated from a media server. If the file on the 
origin media server experiences changes (such as naming convention), SGOS 
bypasses the cached mirrored version and fetches the updated version. 
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About Fast Streaming (Windows Media) 



Note: This feature applies to Windows Media only. 



Windows Media Server version 9 and higher contains a feature called Fast 
Streaming that allows clients to provide streams with extremely low buffering 
time. 

SGOS supports the following functionality for both cached and uncached content: 

□ Fast Start — Delivers an instant playback experience by eliminating buffering 
time. The first few seconds of data are sent using the maximum available 
bandwidth so that playback can begin as soon as possible. 

□ Fast Cache — Streams content to clients faster than the data rate that is 
specified by the stream format. 

Fast Recovery and Fast Reconnect are currently not supported. 

About QoS Support 

The ProxySG supports Quality of Service (QoS), which allows you to create policy 
to examine the Type of Service fields in IP headers and perform an action based 
on that information. For streaming protocols, managing the QoS assists with 
managing bandwidth classes. 

For detailed information about managing QoS, see the Advanced Policy chapter 
in Volume 6: The Visual Policy Manager and Advanced Policy. 

About Streaming Media Authentication 

The following sections discuss authentication between streaming media clients 
and ProxySG appliances and between ProxySG appliances and origin content 
servers (streaming servers). 

Windows Media Server-Side Authentication 

Windows Media server authentication for HTTP and MMS supports the 
following authentication types: 

□ HTTP — BASIC Authentication and Membership Service Account 

□ HTTP — BASIC Authentication and Microsoft Windows Integrated Windows 
Authentication (IWA) Account Database 

□ IWA Authentication and IWA Account Database 

The ProxySG supports the caching and live-splitting of server-authenticated data. 
It has partial caching functionality so that multiple security challenges are not 
issued to Windows Media Player when it accesses different portions of the same 
media file. 
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The first time Windows Media content is accessed on the streaming server, the 
ProxySG caches the content along with the authentication type that was enabled 
on the origin server at the time the client sent a request for the content. The cached 
authentication type remains until the appliance learns that the server has changed 
the enabled authentication type, either through cache coherency (checking to be 
sure the cached contents reflect the original source) or until the ProxySG connects 
to the origin server (to verify access credentials). 

Windows Media Proxy Authentication 

If you configure proxy authentication on the ProxySG, Windows Media clients 
are authenticated based on the policy settings. The ProxySG evaluates the request 
from the client and verifies the accessibility against the set policies. Windows 
Media Player then prompts the client for the proper password. If the client 
password is accepted, the Windows Media server might also require the client to 
provide a password for authentication. If a previously accepted client attempts to 
access the same Windows Media content again, the ProxySG verifies the user 
credentials using its own credential cache. If successful, the client request is 
forwarded to the Windows Media server for authentication. 

Windows Media Player Authentication Interactivities 

Consider the following proxy authentication interactivities with Windows Media 
Player (except when specified, these do not apply to HTTP streaming): 

□ If the proxy authentication type is configured as BASIC and the server 
authentication type is configured as IWA, the default is denial of service. 

□ If proxy authentication is configured as IWA and the server authentication is 
configured as BASIC, the proxy authentication type defaults to BASIC. 

□ The ProxySG does not support authentication based on uri path or 
url_path_regex conditions when using mms as the url scheme. 

□ Transparent style HTTP proxy authentication fails to work with Windows 
Media Players when the credential cache lifetime is set to 0 (independent of 
whether server-side authentication is involved). 

□ If proxy authentication is configured, a request for a stream through HTTP 
prompts the user to enter access credentials twice: once for the proxy 
authentication and once for the media server authentication. 

□ Additional scenarios involving HTTP streaming exist that do not work when 
the TTL is set to zero (0), even though only proxy authentication (with no 
server authentication) is involved. The ProxySG returning a 401-style proxy 
authentication challenge to Windows Media Player 6.0 does not work because 
the Player cannot resolve inconsistencies between the authentication response 
code and the server type returned from the ProxySG. This results in an infinite 
loop of requests and challenges. Example scenarios include transparent 
authentication — resulting from either a transparent request from a player or a 
hard-coded service specified in the ProxySG — and request of cache-local 
(ASX-rewritten or unicast alias) URLs. 
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Windows Media Server Authentication Type (MMS) 



Note: This section applies to Windows Media MMS and requires the CLI. 



Configure the ProxySG to recognize the type of authentication the origin content 
server is using: BASIC or NTLM/ Kerberos. 

To configure the media server authentication type for WM-MMS: 

At the (config) prompt, enter the following command: 

SGOS# (config) streaming windows-media server-auth-type {basic | ntlm} 

Real Media Proxy Authentication 

If you configure proxy authentication on the ProxySG, Real Media clients are 
authenticated based on the policy settings. The ProxySG evaluates the request 
from the client and verifies the accessibility against the set policies. Next, 
RealPlayer prompts the client for the proper password. If the client password is 
accepted, the Real Media server can also require the client to provide a password 
for authentication. If a previously accepted client attempts to access the same Real 
Media content again, the ProxySG verifies the user credentials using its own 
credential cache. If successful, the client request is forwarded to the Real Media 
server for authentication. 

Real Media Player Authentication Limitation 

Using RealPlayer 8.0 in transparent mode with both proxy and Real Media server 
authentication configured to BASIC, RealPlayer 8.0 always sends the same proxy 
credentials to the media server. This is regardless of whether a user enters in 
credentials for the media server. Therefore, the user is never authenticated and 
the content is not served. 

QuickTime Proxy Authentication 

BASIC is the only proxy authentication mode supported for QuickTime clients. If 
an IWA challenge is issued, the mode automatically downgrades to BASIC. 



50 



Chapter 3: Managing Streaming Media 



Section B: Configuring Streaming Media 

Section B: Configuring Streaming Media 

This section describes how to configure the various ProxySG streaming options. It 
contains the following topics: 

□ "Configuring Streaming Services to Intercept Traffic" on page 51 

□ "Configuring the Streaming Proxies" on page 55 

□ "Limiting Bandwidth" on page 56 

□ "Configuring the ProxySG Multicast Network" on page 58 

□ "Forwarding Client Logs" on page 59 

□ "Related CLI Syntax to Manage Streaming" on page 60 

□ "Reference: Access Log Fields" on page 60 

□ "Reference: CPL Triggers, Properties, and Actions" on page 62 

□ "Streaming History Statistics" on page 62 

Related Topics 

You must also configure the network service (Configuration > Network > Services) to 
assign port numbers and modes (transparent or proxy). For more information, 
refer to Volume 2: Proxies and Proxy Services. 

Configuring Streaming Services to Intercept Traffic 

By default (upon upgrade and on new systems), the ProxySG has streaming 
services configured on ports 17 55 (MMS) and 554 (RTSP). The services are 
configured to listen to all IP addresses, but are set to Bypass mode. 

The following procedure describes how to change the service to Intercept mode. 

To configure the MMS/RTSP proxy services attributes: 

1. From the Management Console, select Configuration > Services > Proxy Services. 
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Proxy Services Static Bypass List | Restricted Intercept List 




2. Change the streaming services to Intercept: 

a. Scroll the list of services and select the Standard service group; select 
the MMS and RTSP groups (the service trees expand). 

b. From the MMS: <AII>:1 755 drop-down list, select Intercept. 

c. From the RTSP: <AII>:554 drop-down list, select Intercept. 

3. Click Apply. 

Now that the streaming listeners are configured, you can configure the streaming 
proxies. Proceed to: 

□ "Configuring the Streaming Proxies" on page 55 to configure the proxy 
options that determine how to process streaming traffic. 

□ "Adding a New Streaming Service" (below) to add new streaming services 
that bypass specific network segments or listen on ports other than the 
defaults. 

Adding a New Streaming Service 

The ProxySG allows you to add new streaming services. Consider the following 
scenario: you want the ProxySG to exclude (bypass) an IP address /subnet from 
intercepting streaming because that network segment is undergoing routine 
maintenance. 

To add a new streaming service: 

1. From the Management Console, select Configuration > Services > Proxy Services. 
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2. Scroll the list of services and select the Standard service group. 

3. Click New Service. The New Service dialog displays with the default settings. 
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4. Configure the service options: 



a. Name the service. In this example, the service is named 
ExcludeStreaming because the network admin wants to prevent the 
ProxySG from intercepting streaming traffic from a specific IP address. 

b. From the Service Group drop-down list, select Standard — the service 
group to which streaming traffic belongs. 

c. From the Proxy Settings drop-down list, select MMS or RTSP. 
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Note: To bypass traffic from both streaming protocols, create another 
service for the streaming protocol not selected in this step. 



d. Click New. The New Listener dialog displays. 

e. This example selects the Destination host or subnet option and specifies a 
sample IP address. 

f. This example accepts the default value of 554, the default port for the 
RTSP protocol. If the ProxySG is intercepting streaming traffic on a 
different port, you must specify the port number here. 

g. This example selects Bypass as the option; the ProxySG will not 
intercept streaming traffic. 

h. Click OK in each dialog to close them. The new service displays under 
the Intranet service group as its own service, not under the Endpoint 
Mapper service. 

Configuring the Streaming Proxies 

This section describes how to configure the Streaming Media proxies. The 
Windows Media and Real Media proxy options are identical except for one extra 
option for Real Media. As QuickTime is passed through the ProxySG and not 
cached, there is only one option (Enable HTTP Handoff). 

To configure Windows Media, Real Media, and QuickTime streaming proxies: 

1. From the Management Console, select Configuration > Proxy Settings> Streaming 

Proxies > Windows Media, Real Media, or QuickTime. 



dows Media 

Refresh: 



WMedia Bandwidth 



Real Media 



RMedia Bandwidth 



QuickTime 



0 Never check freshness 



© Check freshness every 0.01 hours 
O Check freshness every access 



r General: 



Enable HTTP handoff 

-c> 0 Forward client-generated logs to origin media server 
-c> 0 Enable multicast 



2. Specify how often the ProxySG checks cached streaming content for freshness. 



• Never check freshness: Although this is the default setting. Blue Coat 
recommends selecting one of the other freshness options. 
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• Check freshness every value hours: The ProxySG checks content freshness 
every ruin hours. 



Note: A value of 0 requires the streaming content to always be checked 
for freshness. 



• Check freshness every access: Every time cached content is requested, it is 
checked for freshness. 

3. Enable HTTP handoff: Enabled by default. When a Windows Media, Real Media, 
or QuickTime client requests a stream from the ProxySG over port 80, which 
in common deployments is the only port that allows traffic through a firewall, 
the HTTP module passes control to the streaming module so HTTP streaming 
can be supported through the HTTP proxy port. Only disable if you do not 
want HTTP streams to be cached or split. 

4. Forward client-generated logs to origin media server: Enabled by default. The 
ProxySG logs information, such as client IP address, the date, and the time, to 
the origin server for Windows Media and Real Media content. See 
"Forwarding Client Logs" on page 59 for more information about log 
forwarding. 

5. Enable multicast (Real Media proxy only): The ProxySG receives a unicast 
stream from the origin RealServer and serves it as a multicast broadcast. This 
allows the ProxySG to take a one-to-one stream and split it into a one-to-many 
stream, saving bandwidth and reducing the server load. It also produces a 
higher quality broadcast. 

Multicasting maintains a TCP control (accounting) channel between the client 
and RealServer. The multicast data stream is broadcast using UDP from the 
ProxySG to RealPlayers that join the multicast. The ProxySG support for Real 
Media uses UDP port 554 (RTSP) for multicasting. This port number can be 
changed to any valid UDP port number. 

6. Click Apply. 

Note: For multicast, additional configuration is required. See "Configuring the 

ProxySG Multicast Network" on page 58. 



Limiting Bandwidth 

This section describes how to limit bandwidth from the clients to the ProxySG 
and the ProxySG to origin content servers. 

Configuring Bandwidth Limits — Global 

This section describes how to limit bandwidth use of all streaming protocols 
through the ProxySG. 
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To specify the bandwidth limit for all streaming protocols: 

1. Select Configuration > Proxy Settings> Streaming Proxies > General. 




2. To limit the client connection bandwidth: 

a. In the Bandwidth field, select Limit client bandwidth to. In the Kilobits/sec 

field, enter the maximum number of kilobits per second that the 
ProxySG allows for all streaming client connections. 

Note: This option is not based on individual clients. 



b. In the Bandwidth pane, select Limit gateway bandwidth. In the Kilobits/sec 

field, enter the maximum number of kilobits per second that the 
ProxySG allows for all streaming connections to origin media servers. 

3. Click Apply. 

Configuring Bandwidth Limits — Protocol-Specific 

This section describes how to limit bandwidth use per-protocol through the 
ProxySG. You can also limit the number of connections from the ProxySG to the 
OCS. The following example uses Real Media, but the Management Console 
screens are identical for all protocols. 

To specify the bandwidth limit for Windows Media, Real Media, or QuickTime: 

1. Select Configuration > Proxy Settings> Streaming Proxies > WMedia Bandwidth -or- 
RMedia Bandwidth -or- QuickTime Bandwidth. 
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WMedia Bandwidth Real Media 


RMedia Bandwidth 


QuickTime 4 












Limit client bandwidth to: 100 


kjlobits/sec 




2b — 


— Limit gateway bandwidth to: 500 


kilobits/sec 




3 


Limit maximum connections: 30 


clients 





2. Configure bandwidth limit options: 

a. To limit the bandwidth for client connections to the ProxySG, select 
Limit client bandwidth to. In the Kilobits/sec field, enter the maximum 
number of kilobits per second that the ProxySG allows for all 
streaming client connections. 

b. To limit the bandwidth for connections from the ProxySG to origin 
content servers, select Limit gateway bandwidth to. In the Kilobits/sec field, 
enter the maximum number of kilobits per second that the ProxySG 
allows for all streaming connections to origin media servers. 

3. To limit the bandwidth for connections from the ProxySG to the OCS, select 
Limit maximum connections. In the clients field, enter the total number of clients 
that can connect concurrently. 

4. Click Apply. 

Configuring Bandwidth Limitation — Fast Start (WM) 



Note: This section applies to Windows Media only and requires the CLI. 



Upon connection to the ProxySG, Windows Media clients do not consume more 
bandwidth (in kilobits per second) than the defined value. 

To specify the maximum starting bandwidth: 

At the (config) prompt, enter the following command: 

SGOS# (config) streaming windows-media max-fast-bandwidth kbps 

Configuring the ProxySG Multicast Network 

This section describes how to configure the ProxySG multicast service. Additional 
steps are required to configure the ProxySG to serve multicast broadcasts to 
streaming clients (Windows Media and Real Media); those procedures are 
provided in subsequent sections. 

To configure the multicast service: 

1. Select Configuration > Services > Streaming Proxies > General. 
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2. Configure multicast options: 

a. In the Maximum hops field, enter a time-to-live (TTL) value. 

b. In the IP range fields, enter the range of IP addresses that are available 
for multicast. 

c. In the Port range fields, enter the range of ports available for multicast. 

3. Click Apply. 

4. Enable multicast: 

• Real Media: See Step 5 on page 56. 

• Windows Media: See "Managing Multicast Streaming for Windows 
Media" on page 65. 

Forwarding Client Logs 

The ProxySG can log information about Windows Media and Real Media 
streaming sessions between the client and the ProxySG and can also forward 
these client generated logs to the origin media server. Additionally, for Windows 
Media RTSP only, ProxySG also supports forwarding values for certain fields to 
the server, when windows-media streaming proxy has log forwarding enabled 
and logging compatibility disabled. 



Note: For Real Media, the log is only forwarded before a streaming session is 
halted; QuickTime log forwarding is not supported. 



The following fields are included in the client log record: 

□ cs-uri-stem: URI stem of the client request. 

□ s-cpu-utii: CPU utilization of the ProxySG. 

□ s- total clients: Clients connected to the ProxySG (but not necessarily 
receiving streams). 

□ s-pkts-sent: Number of packets the ProxySG sent to the client, during the 
playspurt. 
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□ s-proxied: Set to 1 for proxied sessions. 

□ s-session-id: A unique ID of the streaming session between the client and the 
ProxySG. 

□ sc-bytes: Number of bytes the ProxySG sent to the client, during the 
playspurt. 

To enable/disable log forwarding: 

Use the Management Console (see "Configuring the Streaming Proxies" on page 
55) or use the following CLI command at the (config) prompt: 

SGOS# (config) streaming windows-media log-forwarding {enable | 
disable } 

To enable/disable RTSP log compatibility: 

At the (config) prompt, enter the following command: 

SGOS# (config) streaming windows-media log-compatibility {enable | 
disable } 

Related CLI Syntax to Manage Streaming 

□ To enter configuration mode: 

SGOS# (config) proxy- services 

SGOS# (config proxy-services) create {mms | rtsp} service_name 

□ The following submodes are available: 

SGOS# (config) streaming max-client-bandwidth kbitssecond 
SGOS# (config) streaming max-gateway-bandwidth kbits_second 
SGOS# (config) streaming {windows-media | real-media | quicktime} {max- 
client-bandwidth kbits_second | no max- client-bandwidth) 

SGOS# (config) streaming {windows-media | real-media | quicktime) {max- 
gateway-bandwidth kbitssecond | no max-gateway-bandwidth } 

SGOS# (config) streaming {windows-media | real-media | quicktime) {max- 
connections number | no max-connection) 

SGOS# (config) streaming {windows-media | real-media | quicktime) http- 
handoff disable 

SGOS# (config) streaming {windows-media | real-media) refresh-interval 

number. number 

SGOS# (config) streaming real-media multicast enable 

SGOS# (config) streaming windows-media server-auth-type {basic | ntlm) 
SGOS# (config) content-distribute url [from url ] 

Reference: Access Log Fields 

The QuickTime and Real Media proxies generate a streaming access log at the end 
of a streaming session; the Windows Media proxy generates a log entry when one 
of the following occurs: 

□ It receives a log record from the client at the end of each playspurt. 
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□ A denial or error condition prevents the client from creating a playspurt or 
ends the playspurt abruptly Examples include: when a client is denied access 
due to authentication failures or content filtering, when the ProxySG is unable 
to process a session due to bandwidth or connection allocation errors, and 
when the server returns an error to a client request. 

The type of action is recorded in the s-action access log field: allowed, denied, 

FAILED, SERVER_ERROR. 

The streaming-specific access log fields are described below, in alphabetical 

order. 

□ audiocodec: Audio codec used in stream. 

□ avgbandwidth: Average bandwidth (in bits per second) at which the client was 
connected to the server. 

□ channelURL: URL to the . nsc file. 

□ c-buf fercount: Number of times the client buffered while playing the stream. 

□ c-bytes: An MMS-only value of the total number of bytes delivered to the 
client. 

□ c-cpu: Client computer CPU type. 

□ c-hostexe: Host application. 

□ c-hostexever: Host application version number. 

□ c-os: Client computer operating system. 

□ c-osversion: Client computer operating system version number. 

□ c-piayerid: Globally unique identifier (GUID) of the player. 

□ c-player language: Client language-country code. 

□ c-piayerversion: Version number of the player. 

□ c-rate: Mode of Windows Media Player when the last command event was 
sent. 

□ c-starttime: Timestamp (in seconds) of the stream when an entry is 
generated in the log file. 

□ c-status: Codes that describe client status. 

□ c-totaibuf f ertime: Time (in seconds) the client used to buffer the stream. 

□ f ileiength: Length of the file (in seconds). 

□ fiiesize: Size of the file (in bytes). 

□ protocol: Protocol used to access the stream: ms, http, or asfm. 

□ s-session-id: Session ID for the streaming session. 

□ s- total clients: Clients connected to the server (but not necessarily receving 
streams). 

□ transport: Transport protocol used (UDP, TCP, multicast, and so on). 
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□ videocodec: Video codec used to encode the stream. 

□ x-cache-info: Values: unknown, demand_passthru, demand_miss, demand_hit, 

LIVE_PASSTHRU, LIVE_SPLIT. 

□ x-duration: Length of time a client played content prior to a client event (FF, 
REW, Pause, Stop, or jump to marker). 

□ x-wm-c-dns: Hostname of the client determined from the Windows Media 
protocol. 

□ x-wm-c-ip: The client IP address determined from the Windows Media 
protocol. 

□ x-cs- st reaming -client: Type of streaming client in use (windows media, 
real_media, or quicktime). 

□ x-rs-streaming-content: Type of streaming content served. 

□ x-streaming-bitrate: The reported client-side bitrate for the stream. 

Reference: CPL Triggers, Properties, and Actions 

The following Blue Coat CPL is supported in streaming proxies: 

Triggers 

□ streaming . client= 

□ streaming . content= 

Properties and Actions 

streaming . transport= 

Streaming History Statistics 

The Streaming History tabs (Windows Media, Real Media, and QuickTime) display 
bar graphs that illustrate the number of active client connections over the last 
hour (60 minutes), day (24 hours), and month (30 days). These statistics are not 
available through the CLI. The Current Streaming Data and Total Streaming Data 
tabs display real-time values for current connection and live traffic activity on the 
ProxySG. Current and total streaming data statistics are available through the 
CLI. 

To view client statistics: 

1. Select Statistics > Protocol Details > Streaming History. 

2. Select the tab for the client for which you want to view statistics: Windows 
Media, RealMedia, QuickTime. 

3. Select the Duration: from the drop-down menu. 

Choose from Last Hour, Last Day, Last Month, and All Periods. 
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4. (Optional) To set the graph scale to a different value, select a value from the 

Graph scale should drop-down list. 

Viewing Current and Total Streaming Data Statistics 

The Management Console Current Streaming Data tab and the Total Streaming Data tab 

show real-time values for Windows Media, Real Media, and QuickTime activity 
on the ProxySG. These statistics can also viewed through the CLI. 

To view current streaming data statistics: 

1. Select Statistics > Protocol Details > Streaming History > Current Streaming Data. 



Windows Media | Real Media | QuickTime 
Protocol: Windows Media 



Client 

UDP Connections: 6 

TCP Connections: 0 

HTTP Connections: 1 1 

Multicast Connections: 0 



Current Streaming Data 



Gateway 

0 

14 

244 

0 



Total Streaming Data 



Live Traffic v 

Live Connections: 3 3 

Packets: 43,447 43,604 

Bytes: 132,199,237 132,101,152 



Help 



2. Select a streaming protocol (Windows Media, Real Media, QuickTime) from the 
Protocol drop-down list. 

3. Select a traffic connection type (Live Traffic, On-Demand Traffic, or Passthru Traffic) 

from the drop-down list. 



To view total streaming data statistics: 

1. Select Statistics > Streaming History > Total Streaming Data. 
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QuickTime | Current Streaming Data Total Streaming Data < 

- Total Streaming Data 



Protocol: 


Windows Media 


V 




Windows Media 


UDP Connections: 
T CP Connections: 


Real Media 
QuickTime 


HTTP Connections: 




0 


0 


Multicast Connections: 




0 


0 


Live T raffic 


V 






Live Connections: 




0 


0 


Packets: 




0 


0 


Bytes: 




0 


0 



Help 

2. Select a streaming protocol (Windows Media, Real Media, QuickTime) from the 
Protocol drop-down list. 

3. Select a traffic connection type (Live Traffic, On-Demand, or Passthru Traffic) from 
the drop-down list. 

To clear streaming statistics: 

To zero-out the streaming statistics, enter the following command at the CLI 
prompt: 

SGOS# clear-statistics {quicktime | real-media | windows -media } 
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Section C: Additional Windows Media Configuration Tasks 

This section provides Windows Media configuration tasks that aren't available 
through the Management Console, but can be executed through the CLI. 

This section contains the following topics: 

□ "Managing Multicast Streaming for Windows Media" on page 65 

□ "Managing Simulated Live Content (Windows Media)" on page 69 

□ "ASX Rewriting (Windows Media)” on page 71 

Managing Multicast Streaming for Windows Media 

This section describes multicast station and . nsc files, and explains how to 
configure the ProxySG to send multicast broadcasts to Windows Media clients. 

About Multicast Stations 

A multicast station is a defined location from where Windows Media Player 
retrieves live streams. This defined location allows Advanced Streaming Format 
(. asf) streams to be delivered to many clients using only the bandwidth of a 
single stream. Without a multicast station, streams must be delivered to clients 
through unicast. 

A multicast station contains all of the information needed to deliver .asf content 
to a Windows Media Player or to another ProxySG, including: 

□ IP address 

□ Port 

□ Stream format 

□ TTL value (time-to-live, expressed hops) 

The information is stored in an . nsc file, which Window Media Player must be 
able to access to locate the IP address. 

If Windows Media Player fails to find proper streaming packets on the network 
for multicast, the player can roll over to a unicast URL. Reasons for this include 
lack of a multicast-enabled router on the network or if the player is outside the 
multicast station's TTL. If the player fails to receive streaming data packets, it uses 
the unicast URL specified in the . nsc file. All . nsc files contain a unicast URL to 
allow rollover. 

Unicast to Multicast 

Unicast to multicast streaming requires converting a unicast stream on the server- 
side connection to a multicast station on the ProxySG. The unicast stream must 
contain live content before the multicast station works properly. If the unicast 
stream is a video-on-demand file, the multicast station is created but is not able to 
send packets to the network. For video-on-demand files, use the broadcast-alias 
command. A broadcast alias defines a playlist, and specifies a starting time, date, 
and the number of times the content is repeated. 
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Multicast to Multicast 

Use the multicast-alias command to get the source stream for the multicast 
station. 

Creating a Multicast Station 

To create a multicast station, you perform the following steps: 

□ Define a name for the multicast station. 

□ Define the source of the multicast stream. 

□ (Optional) Change the port range to be used. 

□ (Optional) Change the IP address range of the multicast stream. 

□ (Optional) Change the Time-to-Live (TTL) value. TTL is a counter within an 
ICMP packet. As a packet goes through each router, the router decrements 
this TTL value by 1. If the packet traverses enough routers for the value to 
reach 0, routers will no longer forward this packet. 

□ Use the multicast alias, unicast alias, and broadcast alias commands to enable 
the functionality. 

Syntax 

multicast-station name [alias [ urlj [ address | port | ttl ] 

where 

• name specifies the name of the multicast station, such as stationl. 

• [alias | uri } defines the source of the multicast stream. The source can 
be a URL or it can be a multicast alias, a unicast alias, or simulated live. 
(The source commands must be set up before the functionality is enabled 
within the multicast station.) 

• [address j port \ ttl] are optional commands that you can use to 
override the default ranges of these values. (Defaults and permissible 
values are discussed below.) 

Example 1: Create a Multicast Station 

This example: 

□ Creates a multicast station, named stationl, on ProxySG io . 25 . 36 . 47. 

□ Defines the source as rtsp: // 10 .25.36. 47 /tenchi 

□ Accepts the address, port, and TTL default values. 

SGOS# (config) streaming windows-media multicast-station stationl 
rtsp://10.25.36. 47 /tenchi . 

To delete multicast stationl: 

SGOS# (config) streaming no multicast-station stationl 
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Example 2: Create a Broadcast Alias and Direct a Multicast Station to Use 
it as the Source 

This example: 

□ To allow unicast clients to connect through multicast, creates a broadcast alias 
named arrayi; defines the source as rtsp: / /io. 25 .36 . 4 8/tenchi2. 

□ Instructs the multicast station from Example 1, stationi, to use the broadcast 
alias, arrayi, as the source. 

SGOS# (config) streaming windows-media broadcast-alias arrayi rtsp:// 

10 . 25 . 3 6 . 48 /tenchi2 0 today noon 

SGOS# (config) streaming windows-media multicast-station stationi 
arrayi 

Changing Address, Port, and TTL Values 

Specific commands allow you to change the address range, the port range, and 
the default TTL value. To leave the defaults as they are for most multicast stations 
and change it only for specified station definitions, use the multicast-station 
command. 

The multicast-station command randomly creates an IP address and port from 
the specified ranges. 

□ Address-range: the default ranges from 224 . 2. 128.0 to 224 . 2. 255 . 255 ; the 
permissible range is between 224 . 0 . 0.2 and 239 . 255 . 255 . 255 . 

□ Port-range: the default ranges from 32768 to 65535; the permissible range is 
between 1 and 65535. 

□ TTL value: the default value is 5 hops; the permissible range is from 1 to 255 . 

Syntax, with Defaults Set 

multicast address-range <224 . 2 . 128 . 0>-<224 . 2 . 255 . 255> 
multicast port-range <32 7 68>-<65535> 
multicast ttl <5> 

Getting the .nsc File 

The . nsc file is created from the multicast station definition and saved through 
the browser as a text file encoded in a Microsoft proprietary format. 

Without an .nsc file, the multicast station definition does not work. 

To create an . nsc file from the newly created stationi, open the file by navigating 
through the browser to the multicast station's location (where it was created) and 
save the file as stationi .nsc. 

The file location, based on the streaming configuration above: 

http: //10.25.36. 47/MMS/nsc/ stationi . nsc 

Save the file as stationi . nsc. 



Note: You can also enter the URL in Windows Media Player to start the stream. 
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The newly created file is not editable; the settings come from the streaming 
configuration file. In that file, you have already defined the following pertinent 
information: 

□ The address, which includes TTL, IP address, IP port. Unicast URL, and the 
NSC URL. All created . nsc files contain a unicast URL for rollover in case 
Windows Media Player cannot find the streaming packets. 

□ The description, which references the RTSP URL that you defined. 

□ The format, which contains important Advanced Streaming Format (ASF) 
header information. All streams delivered by the multicast station definition 
have their ASF headers defined here. 



Monitoring the Multicast Station 

You can determine the multicast station definitions by viewing the streaming 
Windows Media configuration. 



To view the multicast station setup: 

SGOS# (config) show streaming windows config 

; Windows Media Configuration 
license : 1 XXXXXXX- 7 XXXXXXX- 7 XXXXX 

logging: enable 

logging enable 
http-handof f : enable 

live-retransmit : enable 

(1755) 



transparent -port 
explicit proxy: 0 

refresh-interval : 
max connections: 
connections) 
max-bandwidth : 
max-gateway-bandwidth : 
bandwidth) 
multicast address: 
multicast port: 
multicast TTL: 
asx-rewrite : 
multicast-alias : 
unicast-alias : 
broadcast-alias : 
multi cast- station : 
224.2.207.0 40465 



enable 

no refresh interval (Never check freshness) 
no max-connections (Allow maximum 

no max-bandwidth (Allow maximum bandwidth) 
no max-gateway-bandwidth (Allow maximum 



224.2.128.0 - 
32768 - 65535 
5 

rules 
rules 
rules 
rules 



224.2.255.255 



No 
No 
No 
No 

stationl 

(playing) 



rtsp://10.25.36.47/ tenchi 



Note: Playing at the end of the multicast station definition indicates that the 
station is currently sending packets onto the network. The IP address and 
port ranges have been randomly assigned from the default ranges allowed. 



To determine the current client connections and current ProxySG connections, use 

the show streaming windows-media statistics command. 
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To view the multicast station statistics: 

SGOS# (config) show streaming windows stat 

;Windows Media Statistics 
Current client connections: 
by transport: 0 UDP, 0 TCP, 0 HTTP, 1 multicast 
by type: 1 live, 0 on-demand 
Current gateway connections: 
by transport: 0 UDP, 1 TCP, 0 HTTP, 0 multicast 
by type: 1 live, 0 on-demand 

Multicast to Unicast Live Conversion at the ProxySG 

The ProxySG supports converting multicast streams from an origin content server 
to unicast streams. The stream at the ProxySG is given the appropriate unicast 
headers to allow the appliance to direct one copy of the content to each user on 
the network. 

Multicast streaming only uses UDP protocol and does not know about the control 
channel, which transfers essential file information. The . nsc file (a file created off- 
line that contains this essential information) is retrieved at the beginning of a 
multicast session from an HTTP server. The multicast-alias command specifies 
an alias to the URL to receive this .nsc file. 

The converted unicast stream can use any of the protocols supported by Windows 
Media, including HTTP streaming. 

When a client requests the alias content, the ProxySG uses the URL specified in 
the multicast-alias command to fetch the .nsc file from the HTTP server. 

The .nsc file contains all of the multicast-related information, such as addresses 
and . asf file header information that is normally exchanged through the control 
connection for unicast-delivered content. 

Note: For Windows Media streaming clients, additional multicast information is 
provided in "Managing Multicast Streaming for Windows Media" on page 65. 



Managing Simulated Live Content (Windows Media) 

This section describes simulated live content and how to configure the ProxySG to 
manage and serve simulated live content. 

About Simulated Live Content 

The simulated live content feature defines playback of one or more video-on- 
demand files as a scheduled live event, which begins at a specified time. The 
content can be looped multiple times, or scheduled to start at multiple start times 
throughout the day. If used in conjunction with the multicast-alias command, 
the live content is multicast; otherwise, live content is accessible as live-splitting 
sources. The feature does not require the content to be cached. 

When you have set a starting date and time for the simulated live content, the 
broadcast of the content starts when at least one client requests the file. Clients 
connecting during the scheduled playback time of the simulated live content 
receive cached content for playback. Clients requesting the simulated live content 
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before the scheduled time are put into wait mode. Clients requesting the content 
after all of the contents have played receive an error message. Video-on-demand 
content does not need to be on the ProxySG before the scheduled start time, but 
prepopulating the content on the provides better streaming quality. 

The ProxySG computes the starting playtime of the broadcast stream based on the 
time difference between the client request time and the simulated live starting 
time. 

Before configuring simulated live, consider the following: 

□ The simulated live content name must be unique. Aliases are not case 
sensitive. 

□ The name cannot be used for both a unicast and a multicast alias name. 

□ After simulated live content is referenced by one or more multicast stations, 
the simulated live content cannot be deleted until all multicast stations 
referencing the simulated live content are first deleted. 

The multicast station appears as another client of simulated live content, just like 
a Windows Media Player. 



Note: This note applies to HTTP only. If a client opens Windows Media Player 
and requests an alias before the starting time specified in the broadcast-alias 
option, the HTTP connection closes after a short time period. When the specified 
time arrives, the player fails to reconnect to the stream and remains in waiting 
mode. 



Creating a Broadcast Alias for Simulated Live Content 

Syntax 

streaming windows-media broadcast-alias alias url loops date time 

where: 

• alias is the name of the simulated live content. 

• uri is the URL for the video-on-demand stream. Up to 128 URLs can be 
specified for simulated live content. 

• loops is the number of times you want the content to be played back. Set 
to 0 (zero) to allow the content to be viewed an indefinite number of times. 

• date is the simulated live content starting date. Valid date strings are in 
the format yyyy-mm-dd or today. You can specify up to seven start dates by 
using the comma as a separator (no spaces). 

• time is the simulated live content starting time. Valid time strings are in 
the format hh ■. mm (on a 24-hour clock) or one of the following strings: 

— midnight, noon 

— lam, 2am, . . . 

— 1pm, 2pm, . . . 



70 



Chapter 3: Managing Streaming Media 



Section C: Additional Windows Media Configuration Tasks 

Specify up to 24 different start times within a single date by using the comma 
as a separator (no spaces). 

Example 1 

This example creates a playlist for simulated live content. The order of playback is 
dependent on the order you enter the URLs. You can add up to 128 URLs. 

SGOS# (config) streaming windows-media broadcast-alias alias url 

Example 2 

This example demonstrates the following: 

□ creates a simulated live file called bca. 

□ plays back rtsp : / /ocs . bca. com/bcal . asf and rtsp : // ocs .bca. com/bca2 . asf . 

□ configures the ProxySG to play back the content twice. 

□ sets a starting date and time of today at 4 p.m v 6 p.m v and 8 p.m. 

SGOS# (config) streaming windows-media broadcast-alias bca rtsp:// 
ocs.bca.com/bcal.asf 2 today 4pm, 6pm, 8pm 

SGOS# (config) streaming windows-media broadcast-alias bca rtsp:// 
ocs .bca . com/bca2 . asf 

To delete simulated live content: 

SGOS# (config) streaming windows-media no broadcast-alias alias 

ASX Rewriting (Windows Media) 

This section describes ASX rewriting and applies to Windows Media only. 

Am ASX file is an active streaming redirector file that points to a Windows Media 
audio or video presentation. It is a metafile that provides information about 
Active Streaming Format (ASF) media files. 

About ASX Rewrite 

If your environment does not use a Layer 4 switch or the Cisco Web Cache 
Control Protocol (WCCP), the ProxySG can operate as a proxy for Windows 
Media Player clients by rewriting the Windows Media ASX file (which contains 
entries with URL links to the actual location of the streaming content) to point to 
the ProxySG rather than the Windows Media server. 

The metadata files can have . asx, . wvx, or . wax extensions, but are commonly 
referred to as ASX files. The ASX file references the actual media files 
(with .asf, . wmv, and . wma extensions). An ASX file can refer to other .asx files, 
although this is not a recommended practice. If the file does not have one of the 
metafile extensions and the Web server that is serving the metadata file does not 
set the correct MIME type, it is not processed by the Windows Media module. 
Also, the . asx file with the appropriate syntax must be located on an HTTP (not a 
Windows Media) server. 

The ASX rewrite module is triggered by either the appropriate file extension or 
the returned MIME type from the server (x-video-asf). 
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Note: If an . asx file syntax does not follow the standard <asx> tag-based syntax, 
the ASX rewrite module is not triggered. 



For the ProxySG to operate as a proxy for Windows Media Player requires the 
following: 

□ The client is explicitly proxied for HTTP content to the ProxySG that rewrites 
the .asx metafile. 

□ The streaming media ProxySG is configurable. 



Note: Windows Media Player automatically tries to roll over to different 
protocols according to its Windows Media property settings before trying the 
rollover URLs in the . asx metafile. 



With the asx-rewrite command, you can implement redirection of the streaming 
media to a ProxySG by specifying the rewrite protocol, the rewrite IP address, 
and the rewrite port. 

The protocol specified in the ASX rewrite rule is the protocol the client uses to 
reach the ProxySG. You can use forwarding and policy to change the default 
protocol specified in the original . asx file that connects to the origin media server. 

When creating ASX rewrite rules, you need to determine the number priority. It is 
likely you will create multiple ASX rewrite rules that affect the . asx file; for 
example, rule 100 could redirect the IP address from 10.25. 36.01 to 10.25. 36. 47, 
while rule 300 could redirect the IP address from 10. 25. 36.01 to 10.25. 36. 58. In 
this case, you are saying that the original IP address is redirected to the IP address 
in rule 100. If that IP address is not available, the ProxySG looks for another rule 
matching the incoming IP address. 

Notes and Interactivities 

Before creating rules, consider the following. 

□ Each rule you create must be checked for a match; therefore, performance 
might be affected if you create many rules. 

□ Low numbers have a higher priority than high numbers. 



Note: Rules can only be created through the CLI. 

□ ASX rewrite rules configured for multiple ProxySG appliances configured in 
an HTTP proxy-chaining configuration can produce unexpected URL entries 
in access logs for the downstream ProxySG (the ProxySG that the client proxies 
to). The combination of proxy-chained ProxySG appliances in the HTTP path 
coupled with ASX rewrite rules configured for multiple ProxySG appliances 
in the chain can create a rewritten URL requested by the client in the example 
form of: 
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protocoll : / /downstream_SecApp/redirect?protocol2 : / /<upstream_ 
SecApp>/redirect?protocol3 : / / origin_host/ origin_path 

In this scenario, the URL used by the downstream ProxySG for caching and 
access logging can be different than what is expected. Specifically, the 
downstream ProxySG creates an access log entry with protocoi2 : // 
upstream_secApp/ redirect as the requested URL. Content is also cached using 
this truncated URL. Blue Coat recommends that the ASX rewrite rule be 
configured for only the downstream ProxySG, along with a proxy route rule 
that can forward the Windows Media streaming requests from the 
downstream to upstream ProxySG appliances. 

Syntax for the asx-rewrite Command: 

asx-rewrite rule # in-addr cache-proto cache-addr [ cache-port ] 

where: 

• in-addr — Specifies the hostname or IP address delivering the content 

• cache-proto — Specifies the rewrite protocol on the ProxySG. Acceptable 
values for the rewrite protocol are: 

• mmsu specifies Microsoft Media Services UDP 

• mmst specifies Microsoft Media Services TCP 

• http specifies HTTP 

• mms specifies either MMS-UDP or MMS-TCP 

• * specifies the same protocol as in the . asx file 

If the .asx file is referred from within another .asx file (not a recommended 
practice), use a * for the cache-proto value. The * designates that the 
protocol specified in the original URL be used. As a conservative, alternative 
approach, you could use HTTP for the cache-proto value. 

• cache-addr — Specifies the rewrite address on the ProxySG. 

• cache-port — Specifies the port on the ProxySG. This value is optional. 

To set up the .asx rewrite rules: 

At the (config) command prompt, enter the following command: 

SGOS# (config) streaming windows-media asx-rewrite number in-addr 
cache-proto cache-addr cache-port 



Note: To delete a specific rule, enter streaming windows-media no asx- 
rewrite number. 



To ensure that an ASX rewrite rule is immediately recognized, clear the local 
browser cache. 



Example 

This example: 
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□ Sets the priority rule to 200. 

□ Sets the protocol to be whatever protocol was originally specified in the URL 
and directs the data stream to the appropriate default port. 

□ Provides the rewrite IP address of 10 . 9 . 4 4 . 53, the ProxySG. 

SGOS# (config) streaming windows-media asx-rewrite 200 * * 10.9.44.53 



Note: ASX files must be fetched from HTTP servers. If you are not sure of the 
network topology or the content being served on the network, use the 
asterisks to assure the protocol set is that specified in the URL. 



ASX Rewrite Incompatibility With Server-side IWA Authentication 

Server-side authentication (MMS only, not HTTP) is supported if the origin media 
server authentication type is BASIC or No Auth. However, if you know that a 
Windows Media server is configured for IWA authentication, the following 
procedure allows you to designate any virtual IP addresses to the IWA 
authentication type. If you know that all of the activity through the ProxySG 
requires IWA authentication, you can use the IP address of the appliance. 

To designate an IP address to an authentication type: 

1. If necessary, create a virtual IP address that is used to contact the Windows 
Media server. 

2. At the (config) prompt, enter the following command: 

SGOS# (config) streaming windows-media server-auth-type ntlm ip_address 

3. Configure the ASX rewrite rule to use the IP address. 

a. To remove the authentication type designation: 

SGOS# (config) streaming windows-media no server-auth-type 

ipaddress 

b. To return the authentication type to BASIC: 

SGOS# (config) streaming windows-media server-auth-type basic 

ip_address 
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Section D: Configuring Windows Media Player 

Section D: Configuring Windows Media Player 

This section describes how to configure Windows Media Player to communicate 
through the ProxySG. 

To apply the ProxySG Windows Media streaming services, Windows Media 
Player must be installed and configured to use explicit proxy 



Note: The example below uses Windows Media Player 11. Installation and setup 
varies with different versions of Windows Media Player. 



To configure Windows Media Player: 

1. Start Windows Media Player. 

2. Select Tools > Options. 
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Section D: Configuring Windows Media Player 



3a. 



3b 



3c- 



Player || Rip Music 
Plua-ins Privacy 



Devices 

Security 



Bum 



Performance Library 

File Types CDVD Network 



Specify settings for playing digital media content that is streamed 



to receive da 



from the Internet. 

Protocols for MMS URLs 

Try to use the following protocols when receiving an MMS URL: 
0 RTSP/UDP 

0 RTSP/TCP □ Use ports 
0HTTP 

Multicast Streams 

0 Allow the player to receive multicast streams 

Streaming proxy settings 

Protocol Proxy 
^^HTTP Browser 

RTSP None 



Se l ect the protoco l above, and then d i ck Configufe o Confii 



• v To change the proxy settings used for online stores, use 
si / Options in Control Panel. 



c 



Configure Protocol 



Select the proxy settings for the HTTP protocol. 

Proxy settings 

O Autodetect proxy settings 
O Use proxy settings of the Web browser 
O Do not use a proxy server 
(♦) Use the following proxy server: 

Address: I lO.l.l.lJ 

I I Bypass proxy server for local addresses 
Do not use proxy server for addresses beginning with: 



Use semicolons ( ; ) to separate 



m 




-tr 



3. Navigate to protocol configuration: 

a. Select Network. 

b. Select HTTP. 



c. Click Configure. The Configure Protocol dialog displays. 

4. Configure the proxy settings: 

a. Select Use the following proxy server. 

b. Enter the ProxySG IP address and the port number used for the 
explicit proxy (the default HTTP port is 80). These settings must match 
the settings configured in the ProxySG. If you change the ProxySG 
explicit proxy configuration, you must also reconfigure Windows 
Media Player. 

5. Click OK in both dialogs. Result: Windows Media Player now proxies through 
the ProxySG and content is susceptible to streaming configurations and access 
policies. 



Windows Media Player Interactivity Notes 

This section describes Windows Media Player interactivities that might affect 
performance. 
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Section D: Configuring Windows Media Player 

Striding 

When you use Windows Media Player, consider the following interactivities in 
regard to using fast forward and reverse (referred to as striding): 

□ If you request a cached file and repeatedly attempt play and fast forward, the 
file freezes. 

□ If you attempt a fast reverse of a cached file that is just about to play, you 
receive an error message, depending on whether you have a proxy: 

• Without a proxy: A device attached to the system is not functioning. 

• With a proxy: The request is invalid in the current state. 

□ If Windows Media Player is in pause mode for more than ten minutes and 
you press fast reverse or fast forward, an error message displays: The network 
connection has failed. 

Other Notes 

□ Applies to Version 9: If a uri host rewrite rule is configured to rewrite a host 
name that is a domain name instead of an IP address, a request through the 
MMS protocol fails and the host is not rewritten. As the connect message sent 
by the player at the initial connection does not contain the host name, a 
rewrite cannot occur. HTTP requests are not affected by this limitation. 

□ If explicit proxy is configured and the access policy on the ProxySG is set to 
deny, a requested stream using HTTP from Windows Media Player 9 serves 
the stream directly from the origin server even after the request is denied. The 
player sends a request to the OCS and plays the stream from there. 

Blue Coat recommends the following policy: 

<proxy> 

streaming . content=yes deny 

-or- 

<proxy> 

streaming. content=windows_media deny 

The above rules force the HTTP module to hand off HTTP requests to the 
MMS module. MMS returns the error properly to the player, and does not go 
directly to the origin server to try to serve the content. 

□ If you request an uncached file using the HTTP protocol, the file is likely to 
stop playing if the authentication type is set to BASIC or NTLM/Kerberos and 
you initiate rapid seeks before the buffering begins for a previous seek. 
Windows Media Player, however, displays that the file is still playing. 

□ If a stream is scheduled to be accessible at a future time (using a simulated live 
rule), and the stream is requested before that time, Windows Media Player 
enters a waiting stage. This is normal. However, if HTTP is used as the 
protocol, after a minute or two Windows Media Player closes the HTTP 
connection, but remains in the waiting stage, even when the stream is 
broadcasting. 
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Section D: Configuring Windows Media Player 

Notes: 

For authentication-specific notes, see "Windows Media Server-Side 
Authentication" on page 48 and "Windows Media Proxy Authentication" on page 
49. 
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Section E: Configuring RealPlayer 

This section describes how to configure Real Player to communicate through the 
ProxySG. 

To use the ProxySG Real Media streaming services with an explicit proxy 
configuration, the client machine must have RealPlayer installed and configured 
to use RTSP streams. If you use transparent proxy, no changes need to be made to 
RealPlayer. 



Note: This procedure features RealPlayer, version 10.5. Installation and setup 
menus vary with different versions of RealPlayer. Refer to the RealPlayer 
documentation to configure earlier versions of RealPlayer. 



To configure RealPlayer: 

1. Start RealPlayer. 

2. Select Tools > Preferences. 




3a 



3b 



4a 



4b 



79 







Volume 3: Web Communication Proxies 



3. Navigate to proxy settings: 

a. Select Connection > Proxy. 

b. Click Change Settings. The Streaming Proxy Settings dialog appears. 

4. Configure options: 

a. In the PNA and RTSP proxies: field, select Use proxies. 

b. Enter the ProxySG IP address and the port number used for the 
explicit proxy (the default RTSP port is 544). These settings must 
match the settings configured in the ProxySG. If you change the 
ProxySG explicit proxy configuration, you must also reconfigure 
RealPlayer. If using transparent proxy, RTSP port 554 is set by default 
and cannot be changed. 

Note: For HTTP Proxy, if you have an HTTP proxy already configured in 
your browser, select Use system Internet Connection proxy settings. 



c. Optional: For HTTP Proxy, if you have an HTTP proxy already 
configured in your browser, select Use system Internet Connection proxy 
settings. 

d. Optional: In the Do not use proxy for: section, you can enter specific hosts 
and bypass the ProxySG. 

Note: This can also be accomplished with policy, the method Blue Coat 
recommends. 



e. Click OK to close the Streaming Proxy Settings dialog. 
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5a 



5b 



5. Configure RealPlayer transport settings: 

a. Select Connection > Network Transports. 

b. Click RTSP Settings. The RTSP Transport Settings dialog appears. 

6. If required, deselect options, based on your network configuration. For 
example, if your firewall does not accept UDP, you can deselect Attempt to use 
UDP for all content, but leave the TCP option enabled. Blue Coat recommends 
using the default settings. 

7. Click OK. 

To allow the creation of access log entries, RealPlayer must be instructed to 
communicate with the RealServer. 
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8a 



Category 



0 General 

Playback Settings 
0 Connection 



Internet / Privacy 



Proxy 

Network Transports 
0 My Library 
0 CD 
DVD 

0 Content 

Media Types 
0 Automatic Services 
AutoUpdate 
Message Center 
Hardware 



Tell Me More 



Internet / Privacy 



Privacy Settings 

The following options are provided for you to customize 
the way information is sent from your computer. 

0 Send connection-quality data to RealS ervers. (To aid content providers.) - 

1 I Send RealPlayer GUID to RealS ervers. (To aid content providers.) 

0 Send configuration info when connecting to T echnical Support. 

0 Enable RealPlayer Cookies. 

0 Enable HTML Clip Info. 

0 Allow websites to add items to Now Playing. 

Script Commands 

RealPlayer maintains a list of web locations for which you 
have specified that scripted commands are permitted. 

Registered Location 



8b 



Clear List 



8. Perform the following: 



a. Select View > Preferences > Internet/Privacy. 

b. In the Privacy field, select Send connection-quality data to RealServers; click 
OK. 

Result: RealPlayer now proxies through the ProxySG and content is susceptible to 
streaming configurations and access policies. 



Notes: 

For authentication-specific issues, see "Real Media Proxy Authentication" on page 
50 . 
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Section F: Configuring QuickTime Player 

This section describes how to configure QuickTime player for explicit proxy to the 
ProxySG. 

To configure QuickTime 

1. Start QuickTime player. 

2. Select Edit > Preferences > QuickTime Preferences. 




2a 



2b 



2d 



2c 



3. Configure the protocol settings: 

a. Click Advanced. 

b. Select RTSP Proxy Server; 

c. Enter the IP address of the ProxySG. 

d. Enter the port number (554 is the default). 

These settings must match the settings configured in the ProxySG. If you 
change the ProxySG explicit proxy settings, set similar settings in 
QuickTime. 

4. Close OK. Result: QuickTime now proxies — in pass-through mode — through 
the ProxySG. 



Notes: 

For authentication-specific issues, see "QuickTime Proxy Authentication" on page 
50. 
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Section G: Supported Streaming Media Clients and Protocols 

This section describes the vendor-specific streaming protocols supported by the 
ProxySG. 



Note: Blue Coat recommends upgrading to WMP version 9 or later. Note that 

WMP version 11 does not support the Microsoft Media Services (MMS) protocol. 



Supported Streaming Media Clients and Servers 

The ProxySG supports Microsoft Windows Media, RealNetworks RealPlayer, and 
Apple QuickTime; however, the various players might experience unexpected 
behavior dependent upon certain SGOS configurations and features. Feature 
sections list such interactivities, as necessary. For a list of the most current 
versions of each supported client, refer to the Blue Coat SGOS Release Notes for 
this release. 

Supported Windows Media Players and Servers 

The ProxySG supports the following versions and formats: 

□ Windows Media Player 

□ Windows Media Server 

Supported Real Media Players and Servers 

The ProxySG supports the following versions: 

□ RealOne Player 

□ RealPlayer 

□ RealServer 

□ Helix Universal Server 



Note: Blue Coat recommends not deploying a Helix proxy between the 
ProxySG and a Helix server where the Helix proxy is the parent to the 
ProxySG. This causes errors with the Helix server. The reverse is acceptable 
(using a Helix proxy as a child to the ProxySG). 



Supported QuickTime Players and Servers 

The ProxySG supports the following versions, but in pass-through mode only: 

□ QuickTime Player 

□ Darwin Streaming Server 

□ Helix Universal Server 
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Supported Streaming Protocols 

Each streaming media platform supports its own set of protocols. This section 
describes the protocols the ProxySG supports. 

Windows Media Protocols 

The ProxySG supports Windows Media content streamed over RTSP and HTTP. 
The following Windows Media transports are supported: 

Client-side 

□ RTP over unicast UDP (RTSP over TCP, RTP over unicast UDP) 

□ Interleaved RTSP (RTSP over TCP, RTP over TCP on the same connection) 

□ RTP over multicast UDP (RTP over multicast UDP; for live content only) 

□ HTTP streaming 

□ MMS-UDP (Microsoft Media Streaming — User Data Protocol) 

□ MMS-TCP (Microsoft Media Streaming — Transmission Control Protocol) 

□ Multicast-UDP is the only delivery protocol supported for multicast. No TCP 
control connection exists for multicast delivery 

Server-side 

□ Interleaved RTSP 

□ HTTP streaming 

□ MMS-TCP between the ProxySG and origin server for video-on-demand and 
live unicast content 

Server-side RTP over UDP is not supported. If policy directs the RTSP proxy to 
use HTTP as server-side transport, the proxy denies the client request. The client 
then rolls over to MMS or HTTP. 



Note: The MMS protocol is usually referred to as either MMS-TCP or MMS- 
UDP depending on whether TCP or UDP is used as the transport layer for 
sending streaming data packets. MMS-UDP uses a TCP connection for 
sending and receiving media control messages, and a UDP connection for 
streaming the actual media data. MMS-TCP uses TCP connections to send 
both control and data messages. The MMS protocol is not supported in WMP 
11 and higher. 



Real Media Protocols 

The ProxySG supports the following Real Media protocols: 
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Client-Side 

□ HTTP streaming (RTSP and RDT over TCP tunneled through HTTP) — HTTP 
streaming is supported through a handoff process from HTTP to RTSP HTTP 
accepts the connection and, based on the headers, hands off to RTSP The 
headers identify an RTSP URL. 

□ RDT over unicast UDP (RTSP over TCP, RDT over unicast UDP) 

□ Interleaved RTSP (RTSP over TCP, RDT over TCP on the same connection) 

□ RDT over multicast UDP (RTSP over TCP, RDT over multicast UDP; for live 
content only) 

Server-Side 

□ HTTP streaming 

□ Interleaved RTSP 

Unsupported Protocols 

The following Real Media protocols are not supported in this version of SGOS: 

□ PNA 

□ Server-side RDT/ UDP (both unicast and multicast) 

QuickTime Protocols 

The ProxySG supports the following QuickTime protocols: 

□ HTTP streaming (RTSP and RDT over TCP tunneled through HTTP) — HTTP 
streaming is supported through a handoff process from HTTP to RTSP HTTP 
accepts the connection and, based on the headers, hands off to RTSP The 
headers identify an RTSP URL. 

□ RTP over unicast UDP (RTSP over TCP, RDT over unicast UDP) 

□ Interleaved RTSP (RTSP over TCP, RDT over TCP on the same connection) 

Server-Side 

□ HTTP streaming 

□ Interleaved RTSP 

Unsupported Protocols 

The following QuickTime protocols are not supported in this version of SGOS: 

□ Server-side RTP/UDP, both unicast and multicast, is not supported. 

Client-side multicast is not supported. 
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Glossary 



access control list — Allows or denies specific IP addresses access to a server. 

access log — A list of all the requests sent to a ProxySG. You can read an access 
log using any of the popular log-reporting programs. When a client uses HTTP 
streaming, the streaming entry goes to the same access log. 

account — A named entity that has purchased the ProxySG or the Entitlements 
from Blue Coat. 

activation code — A string of approximately 10 characters that is generated and 
mailed to customers when they purchase the ProxySG. 

active content stripping — Provides a way to identify potentially dangerous mobile 
or active content and scripts, and strip them out of a response. 

active content types — Used in the Visual Policy Manager. Referring to Web 
Access policies, you can create and name lists of active content types to be 
stripped from Web pages. You have the additional option of specifying a 
customized message to be displayed to the user 

administration access policy — A policy layer that determines who can access the 
ProxySG to perform administrative tasks. 

administration authentication policy — A policy layer that determines how 
administrators accessing the ProxySG must authenticate. 

AJAX — Acronym for Asynchronous JavaScript and XML, the technology used 
for live updating of Web objects without having to reload the entire page. 

Application Delivery Network (ADN) — A WAN that has been optimized for 
acceleration and compression by Blue Coat. This network can also be secured 
through the use of appliance certificates. An ADN network is composed of an 
ADN manager and backup ADN manager, ADN nodes, and a network 
configuration that matches the environment. 

ADN backup manager — Takes over for the ADN manager in the event it becomes 
unavailable. See ADN manager. 

ADN manager — Responsible for publishing the routing table to SG Clients (and 
to other ProxySG appliances). 

ADN optimize attribute — Controls whether to optimize bandwidth usage when 
connecting upstream using an ADN tunnel. 

A record — The central records of DNS, which link a domain or subdomain to an 
IP address. An A record can correspond to a single IP address or many IP 
addresses. 

asx rewrite — Allows you to rewrite URLs and then direct a client's subsequent 
request to the new URL. One of the main applications of ASX file rewrites is to 
provide explicit proxy-like support for Windows Media Player 6.4, which 
cannot set explicit proxy mode for protocols other than HTTP. 
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audit — A log that provides a record of who accessed what and how. 

authenticate-401 attribute — All transparent and explicit requests received on the port 
always use transparent authentication (cookie or IP, depending on the 
configuration). This is especially useful to force transparent proxy authentication 
in some proxy-chaining scenarios 

authenticated content — Cached content that requires authentication at the origin 
content server (OCS). Supported authentication types for cached data include 
basic authentication and IWA (or NTLM). 

authentication — Allows you to verify the identity of a user. In its simplest form, this 
is done through usernames and passwords. Much more stringent authentication 
can be employed using digital certificates that have been issued and verified by a 
Certificate Authority. See also basic authentication, proxy authentication, and SSL 
authentication. 

authentication realm — Authenticates and authorizes users to access SG services 
using either explicit proxy or transparent proxy mode. These realms integrate 
third-party vendors, such as LDAP, Windows, and Novell, with the Blue Coat 
operating system. 

authorization — The permissions given to an authenticated user. 



bandwidth — The amount of data you can send through a network or modem 
connection, usually measured in bits per second (bps). 

bandwidth class — A defined unit of bandwidth allocation. 

bandwidth class hierarchy — A gouping of bandwidth classes into a tree structure 
that specifies the relationship among different classes. You create a hierarchy by 
creating at least one parent class and assigning other classes as its children. 

bandwidth gain — Bandwidth gain is a calculation of the savings that occur when 
bandwidth is not consumed as a result of some form of optimization. 

For example, bandwidth gain for active sessions is calculated by subtracting the 
number of client bytes from the number of server bytes and dividing the result by 
the number of server bytes. 

(Client Bytes - Server Bytes) / Server Bytes 

bandwidth management — Classify, control, and, if needed, limit the amount of 
bandwidth used by network traffic flowing in or out of a ProxySG. 

basic authentication — The standard authentication for communicating with the 
target as identified in the URL. 

BCAAA — Blue Coat Authentication and Authorization Agent. Allows SGOS 5.x to 
manage authentication and authorization for IWA, CA eTrust SiteMinder realms, 
Oracle COREid, Novell, and Windows realms. The agent is installed and 
configured separately from SGOS 5.x and is available from the Blue Coat Web 
site. 

BCLP — Blue Coat Licensing Portal. 

byte-range support — The ability of the ProxySG to respond to byte-range requests 
(requests with a Range : HTTP header). 
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cache — An "object store," either hardware or software, that stores information 
(objects) for later retrieval. The first time the object is requested, it is stored, 
making subsequent requests for the same information much faster. 

A cache helps reduce the response time and network bandwidth consumption on 
future, equivalent requests. The ProxySG serves as a cache by storing content 
from many users to minimize response time and prevent extraneous network 
traffic. 

cache control — Allows you to configure which content the ProxySG stores. 

cache efficiency — A tab found on the Statistics pages of the Management Console 
that shows the percent of objects served from cache, the percent loaded from the 
network, and the percent that were non-cacheable. 

cache hit — Occurs when the ProxySG receives a request for an object and can serve 
the request from the cache without a trip to the origin server. 

cache miss — Occurs when the ProxySG receives a request for an object that is not 
in the cache. The ProxySG must then fetch the requested object from the origin 
server. 

cache object — Cache contents includes all objects currently stored by the ProxySG. 
Cache objects are not cleared when the ProxySG is powered off. 

Certificate Authority (CA) — A trusted, third-party organization or company that 
issues digital certificates used to create digital signatures and public key/ private 
key pairs. The role of the CA is to guarantee that the individuals or company 
representatives who are granted a unique certificate are who they claim to be. 

child class (bandwidth gain) — The child of a parent class is dependent on that parent 
class for available bandwidth (they share the bandwidth in proportion to their 
minimum/ maximum bandwidth values and priority levels). A child class with 
siblings (classes with the same parent class) shares bandwidth with those siblings 
in the same manner. 

cipher suite — Specifies the algorithms used to secure an SSL connection. When a 
client makes an SSL connection to a server, it sends a list of the cipher suites that it 
supports. 

client consent certificates — A certificate that indicates acceptance or denial of 
consent to decrypt an end user's HTTPS request. 

client-side transparency — A way of replacing the ProxySG IP address with the Web 
server IP address for all port 80 traffic destined to go to the client. This effectively 
conceals the ProxySG address from the client and conceals the identity of the 
client from the Web server. 

concentrator — A ProxySG, usually located in a data center, that provides access to 
data center resources, such as file servers. 

content filtering — A way of controlling which content is delivered to certain users. 
ProxySG appliances can filter content based on content categories (such as 
gambling, games, and so on), type (such as http, ftp, streaming, and mime type), 
identity (user, group, network), or network conditions. You can filter content 
using vendor-based filtering or by allowing or denying access to URLs. 
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default boot system — The system that was successfully started last time. If a system 
fails to boot, the next most recent system that booted successfully becomes the 
default boot system. 

default proxy listener — See proxy service (default). 

denial of service (DoS) — A method that hackers use to prevent or deny legitimate 
users access to a computer, such as a Web server. DoS attacks typically send many 
request packets to a targeted Internet server, flooding the server's resources and 
making the system unusable. Any system connected to the Internet and equipped 
with TCP-based network services is vulnerable to a DoS attack. 

The ProxySG resists DoS attacks launched by many common DoS tools. With a 
hardened TCP/IP stack, the ProxySG resists common network attacks, including 
traffic flooding. 

destination objects — Used in Visual Policy Manager. These are the objects that 
define the target location of an entry type. 

detect protocol attribute — Detects the protocol being used. Protocols that can be 
detected include: HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and 
Endpoint Mapper. 

diagnostic reporting — Found in the Statistics pane, the Diagnostics tab allows you to 
control whether Daily Heartbeats and/ or Blue Coat Monitoring are enabled or 
disabled. 

directives — Commands used in installable lists to configure forwarding and 
SOCKS gateway. 

DNS access — A policy layer that determines how the ProxySG processes DNS 
requests. 

domain name system (DNS) — An Internet service that translates domain names into 
IP addresses. 

dynamic bypass — Provides a maintenance-free method for improving performance 
of the ProxySG by automatically compiling a list of requested URLs that return 
various kinds of errors. 

dynamic real-time rating (DRTR) — Used in conjunction with the Blue Coat Web Filter 
(BCWF), DRTR (also known as dynamic categorization) provides real-time analysis 
and content categorization of requested Web pages to solve the problem of new 
and previously unknown uncategorized URLs — those not in the database. 

When a user requests a URL that has not already been categorized by the BCWF 
database (for example, a brand new Web site), the ProxySG dynamic 
categorization service analyzes elements of the requested content and assigns a 
category or categories. The dynamic service is consulted only when the installed 
BCWF database does not contain category information for an object. 



early intercept attribute — Controls whether the proxy responds to client TCP 
connection requests before connecting to the upstream server. When early 
intercept is disabled, the proxy delays responding to the client until after it has 
attempted to contact the server. 
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ELFF-compatible format — A log type defined by the W3C that is general enough to 
be used with any protocol. 

emulated certificates — Certificates that are presented to the user by the ProxySG 
when intercepting HTTPS requests. Blue Coat emulates the certificate from the 
server and signs it, copying the subjectName and expiration. The original 
certificate is used between the ProxySG and the server. 

encrypted log — A log is encrypted using an external certificate associated with a 
private key. Encrypted logs can only be decrypted by someone with access to the 
private key. The private key is not accessible to the ProxySG. 

EU LA — End user license agreement. 

event logging — Allows you to specify the types of system events logged, the size of 
the event log, and to configure Syslog monitoring. The ProxySG can also notify 
you by email if an event is logged. See also access logging. 

explicit proxy — A configuration in which the browser is explicitly configured to 
communicate with the proxy server for access to content. This is the default for 
the ProxySG and requires configuration for both the browser and the interface 
card. 

extended log file format (ELFF) — A variant of the common log file format, which has 
two additional fields at the end of the line — the referer and the user agent fields. 



fail open/closed — Failing open or closed applies to forwarding hosts and groups 
and SOCKS gateways. Fail open or closed applies when health checks are 
showing sick for each forwarding or SOCKS gateway target in the applicable fail- 
over sequence. If no systems are healthy, the ProxySG fails open or closed, 
depending on the configuration. If closed, the connection attempt simply fails. 

If open, an attempt is made to connect without using any forwarding target (or 
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no 
setting is specified. 

filtering — See content filtering. 

forward proxy — A proxy server deployed close to the clients and used to access 
many servers. A forward proxy can be explicit or transparent. 

FTP — See Native FTP and Web FTP. 



gateway — A device that serves as entrance and exit into a communications 
network. 



hardware serial number — A string that uniquely identifies the ProxySG; it is assigned 
to each unit in manufacturing. 

health check tests — The method of determining network connectivity, target 
responsiveness, and basic functionality. The following tests are supported: 
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• ICMP 

• TCP 

• SSL 

• HTTP 

• HTTPS 

• Group 

• Composite and reference to a composite result 

• ICAP 

• Websense 

• DRTR rating service 

health check type — The kind of device or service the specific health check tests. The 
following types are supported: 

• Forwarding host and forwarding group 

• SOCKS gateway and SOCKS gateway group 

• CAP service and ICAP service group 

• Websense off-box service and Websense off-box service group 

• DRTR rating service 

• User-defined host and a user-defined composite 

heartbeat — Messages sent once every 24 hours that contain the statistical and 
configuration data for the ProxySG, indicating its health. Heartbeats are 
commonly sent to system administrators and to Blue Coat. Heartbeats contain no 
private information, only aggregate statistics useful for pre-emptively diagnosing 
support issues. 

The ProxySG sends emergency heartbeats whenever it is rebooted. Emergency 
heartbeats contain core dump and restart flags in addition to daily heartbeat 
information. 

host affinity — The attempt to direct multiple connections by a single user to the 
same group member. Host affinity is closely tied to load balancing behavior; both 
should be configured if load balancing is important. 

host affinity timeout — The host affinity timeout determines how long a user remains 
idle before the connection is closed. The timeout value checks the user's IP 
address, SSL ID, or cookie in the host affinity table. 



inbound traffic (bandwidth gain) — Network packets flowing into the ProxySG. 
Inbound traffic mainly consists of the following: 

• Server inbound: Packets originating at the origin content server (OCS) and 
sent to the ProxySG to load a Web object. 
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• Client inbound: Packets originating at the client and sent to the ProxySG 
for Web requests. 

installable list — A list of configuration parameters that can be created using a text 
editor (either Blue Coat or another text editor) or through the CLI inline 
commands. The list can then be downloaded to the ProxySG from an HTTP server 
or locally from your PC. Configurations that can be created and installed this way 
include the SG Client, archiving, forwarding hosts, SOCKS gateways, ICP, policy 
files, and exceptions. 

integrated host timeout — An integrated host is an origin content server (OCS) that 
has been added to the health check list. The host, added through the 
integrate_new_hosts property, ages out of the integrated host table after 
being idle for the specified time. The default is 60 minutes. 

intervals — Time period from the completion of one health check to the start of the 
next health check. 

IP reflection — Determines how the client IP address is presented to the origin 
server for explicitly proxied requests. All proxy services contain a reflect-ip 
attribute, which enables or disables sending of client's IP address instead of the IP 
address of the ProxySG. 

issuer keyring — The keyring used by the ProxySG to sign emulated certificates. The 
keyring is configured on the appliance and managed through policy. 



licensable component (LC) — (Software) A subcomponent of a license; it is an option 
that enables or disables a specific feature. 

LCAMS — License Configuration and Management System. 

license — Provides both the right and the ability to use certain software functions 
within a Proxy AV (or ProxySG) appliance. The license key defines and controls 
the license, which is owned by an account. 

listener — The service that is listening on a specific port. A listener can be identified 
by any destination IP/subnet and port range. Multiple listeners can be added to 
each service. 

live content — Also called live broadcast. Used in streaming, it indicates that the 
content is being delivered fresh. 

LKF — License key file. 

load balancing — A way to share traffic requests among multiple upstream systems 
or multiple IP addresses on a single host. 

local bypass list — A list you create and maintain on your network. You can use a 
local bypass list alone or in conjunction with a central bypass list. 

local policy file — Written by enterprises (as opposed to the central policy file 
written by Blue Coat); used to create company- and department-specific 
advanced policies written in the Blue Coat Policy Language (CPL). 
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log facility — A separate log that contains a single logical file and supports a single 
log format. It also contains the file's configuration and upload schedule 
information as well as other configurable information such as how often to rotate 
(switch to a new log) the logs at the destination, any passwords needed, and the 
point at which the facility can be uploaded. 

log format — The type of log that is used: NCSA/ Common, SQUID, ELFF, 
SurfControl, or Websense. 

The proprietary log types each have a corresponding pre-defined log format that 
has been set up to produce exactly that type of log (these logs cannot be edited). In 
addition, a number of other EFFF type log formats are also pre-defined (im, main, 
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log 
fields for logging particular protocols understood by the ProxySG. It is also 
possible to create new log formats of type EFFF or Custom which can contain any 
desired combination of log fields. 

log tail — The access log tail shows the log entries as they get logged. With high 
traffic on the ProxySG, not all access log entries are necessarily displayed. 
However, you can view all access log information after uploading the log. 



M 

MACH5 — SGOS 5 MACH5 Edition. 

Management Console — A graphical Web interface that lets you to manage, 
configure, monitor, and upgrade the ProxySG from any location. The 
Management Console consists of a set of Web pages and Java applets stored on 
the ProxySG. The appliance acts as a Web server on the management port to serve 
these pages and applets. 

management information base (MIB) — Defines the statistics that management systems 
can collect. A managed device (gateway) has one or more MIBs as well as one or 
more SNMP agents, which implements the information and management 
functionality defined by a specific MIB. 

maximum object size — The maximum object size stored in the ProxySG. All objects 
retrieved that are greater than the maximum size are delivered to the client but 
are not stored in the ProxySG. 

Media Access Control (MAC) address — A unique value associated with a network 
adapter; also known as hardware address or physical address. For the ProxySG, it 
is a hardware address that is stored in each network card (such as an SSF 
accelerator card or a Quad GigE Fiber EX card) on the ProxySG. The MAC 
address uniquely identifies an adapter on a FAN and is a 12-digit hexadecimal 
number (48 bits in length). 

MIME/FILE type filtering — Allows organizations to implement Internet policies for 
both uploaded and downloaded content by MIME or FIFE type. 

multi-bit rate — The capability of a single stream to deliver multiple bit rates to 
clients requesting content from ProxySG appliances from within varying levels of 
network conditions (such as different connecting band widths and traffic). 

multicast — Used in streaming; the ability for hundreds or thousands of users to 
play a single stream. 
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multicast aliases — Used in streaming; a streaming command that specifies an alias 
for a multicast URL to receive an .nsc file. The .nsc files allows the multicast 
session to obtain the information in the control channel 

multicast station — Used in streaming; a defined location on the proxy where the 
Windows Media player can retrieve streams. A multicast station enables 
multicast transmission of Windows Media content from the cache. The source of 
the multicast-delivered content can be a unicast-live source, a multicast (live) 
source, and simulated live (video-on-demand content converted to scheduled live 
content). 

multimedia content services — Used in streaming; multimedia support includes Real 
Networks, Microsoft Windows Media, Apple QuickTime, MP3, and Flash. 



name inputing — Allows a ProxySG to resolve host names based on a partial name 
specification. When a host name is submitted to the DNS server, the DNS server 
resolves the name to an IP address. If the host name cannot be resolved. Blue Coat 
adds the first entry in the name-inputing list to the end of the host name and 
resubmits it to the DNS server 

native FTP — Native FTP involves the client connecting (either explicitly or 
transparently) using the FTP protocol; the ProxySG then connects upstream 
through FTP (if necessary). 

NCSA common log format — Blue Coat products are compatible with this log type, 
which contains only basic HTTP access information. 

network address translation (NAT) — The process of translating private network (such 
as intranet) IP addresses to Internet IP addresses and vice versa. This 
methodology makes it possible to match private IP addresses to Internet IP 
addresses even when the number of private addresses outnumbers the pool of 
available Internet addresses. 

non-cacheable objects — A number of objects are not cached by the ProxySG because 
they are considered non-cacheable. You can add or delete the kinds of objects that 
the appliance considers non-cacheable. Some of the non-cacheable request types 
are: 

• Pragma no-cache, requests that specify non-cached objects, such as when 
you click refresh in the Web browser. 

• Password provided, requests that include a client password. 

• Data in request that include additional client data. 

• Not a GET request. 

.nsc file — Created from the multicast station definition and saved through the 
browser as a text file encoded in a Microsoft proprietary format. Without an .nsc 
file, the multicast station definition does not work. 
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NTP — To manage objects in an appliance, a ProxySG must know the current 
Universal Time Coordinates (UTC) time. By default, the ProxySG attempts to 
connect to a Network Time Protocol (NTP) server to acquire the UTC time. The 
ProxySG includes a list of NTP servers available on the Internet, and attempts to 
connect to them in the order they appear in the NTP server list on the NTP tab. 



object (used in caching) — An object is the item that is stored in an appliance. These 
objects can be frequently accessed content, content that has been placed there by 
content publishers, or Web pages, among other things. 

object (used in Visual Policy Manager) — An object (sometimes referred to as a 
condition) is any collection or combination of entry types you can create 
individually (user, group, IP address/ subnet, and attribute). To be included in an 
object, an item must already be created as an individual entry. 

object pipelining — This patented algorithm opens as many simultaneous TCP 
connections as the origin server will allow and retrieves objects in parallel. The 
objects are then delivered from the appliance straight to the user's desktop as fast 
as the browser can request them. 

Online Certificate Status Protocol (OCSP) — An Internet protocol used for obtaining 
the revocation status of an X.509 digital certificate. OCSP was created as an 
alternative to certificate revocation lists (CRL), specifically addressing certain 
problems associated with using CRLs in a public key infrastructure (PKI). OCSP 
servers are called OCSP responders due to the request/ response nature of these 
messages. 

origin content server (OCS) — Also called origin server. This is the original source of 
the content that is being requested. An appliance needs the OCS to acquire data 
the first time, to check that the content being served is still fresh, and to 
authenticate users. 

outbound traffic (bandwidth gain) — Network packets flowing out of the ProxySG. 
Outbound traffic mainly consists of the following: 

• Client outbound: Packets sent to the client in response to a Web request. 

• Server outbound: Packets sent to an OCS or upstream proxy to request a 
service. 



PAC (Proxy AutoConfiguration) scripts — Originally created by Netscape, PACs are a 
way to avoid requiring proxy hosts and port numbers to be entered for every 
protocol. You need only enter the URL. A PAC can be created with the needed 
information and the local browser can be directed to the PAC for information 
about proxy hosts and port numbers. 

packet capture (PCAP) — Allows filtering on various attributes of the Ethernet frame 
to limit the amount of data collected. You can capture packets of Ethernet frames 
going into or leaving a ProxySG. 
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parent class (bandwidth gain) — A class with at least one child. The parent class must 
share its bandwidth with its child classes in proportion to the minimum/ 
maximum bandwidth values or priority levels. 

passive mode data connections (PASV) — Data connections initiated by an FTP client 
to an FTP server. 

pipelining — See object pipelining. 

policies — Groups of rules that let you manage Web access specific to the needs of 
an enterprise. Policies enhance ProxySG feature areas such as authentication and 
virus scanning, and let you control end-user Web access in your existing 
infrastructure. 

policy-based bypass list — Used in policy. Allows a bypass based on the properties of 
the client, unlike static and dynamic bypass lists, which allow traffic to bypass the 
appliance based on destination IP address. See also dynamic bypass. 

policy layer — A collection of rules created using Blue Coat CPL or with the VPM. 

pragma: no cache (PNC) — A metatag in the header of a request that requires the 
appliance to forward a request to the origin server. This allows clients to always 
obtain a fresh copy. 

proxy — Caches content, filters traffic, monitors Internet and intranet resource 
usage, blocks specific Internet and intranet resources for individuals or groups, 
and enhances the quality of Internet or intranet user experiences. 

A proxy can also serve as an intermediary between a Web client and a Web server 
and can require authentication to allow identity-based policy and logging for the 
client. 

The rules used to authenticate a client are based on the policies you create on the 
ProxySG, which can reference an existing security infrastructure — LDAP, 
RADIUS, IWA, and the like. 

Proxy Edition — SGOS 5 Proxy Edition. 

proxy service — The proxy service defines the ports, as well as other attributes, that 
are used by the proxies associated with the service. 

proxy service (default) — The default proxy service is a service that intercepts all 
traffic not otherwise intercepted by other listeners. It only has one listener whose 
action can be set to bypass or intercept. No new listeners can be added to the 
default proxy service, and the default listener and service cannot be deleted. 
Service attributes can be changed. 

ProxySG — A Blue Coat security and cache box that can help manage security and 
content on a network. 

public key certificate — An electronic document that encapsulates the public key of 
the certificate sender, identifies this sender, and aids the certificate receiver to 
verify the identity of the certificate sender. A certificate is often considered valid if 
it has been digitally signed by a well-known entity, which is called a Certificate 
Authority (such as VeriSign). 

public virtual IP (VIP) — Maps multiple servers to one IP address and then propagates 
that information to the public DNS servers. Typically, there is a public VIP known 
to the public Internet that routes the packets internally to the private VIP. This 
enables you to "hide" your servers from the Internet. 
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real-time streaming protocol (RTSP) — A standard method of transferring audio and 
video and other time-based media over Internet-technology based networks. The 
protocol is used to stream clips to any RTP-based client. 

reflect client IP attribute — Enables the sending of the client's IP address instead of the 
SG's IP address to the upstream server. If you are using an application delivery 
network (ADN), this setting is enforced on the concentrator proxy through the 

Configuration > App. Delivery Network > Tunneling tab. 

registration — An event that binds the appliance to an account, that is, it creates the 
Serial#, Account association. 

remote authentication dial-in user service (RADIUS) — Authenticates user identity via 
passwords for network access. 

Return to Sender (RTS) — A way of allowing outgoing TCP packets to use the same 
network interface on which the corresponding incoming TCP packets arrived. 
The destination Media Acess Control (MAC) address for the outgoing packets is 
the same as the source MAC address of the incoming packets. See also Media 
Access Control (MAC) address. 

reverse proxy — A proxy that acts as a front end to a small number of predefined 
servers, typically to improve performance. Many clients can use it to access the 
small number of predefined servers. 

routing information protocol (RIP) — Designed to select the fastest route to a 
destination. RIP support is built into ProxySG appliances. 

router hops — The number of jumps a packet takes when traversing the Internet. 
RTS — See Return to Sender. 



secure shell (SSH) — Also known as Secure Socket Shell. SSH is an interface and 
protocol that provides strong authentication and enables you to securely access a 
remote computer. Three utilities — login, ssh, and scp — comprise SSH. Security 
via SSH is accomplished using a digital certificate and password encryption. 
Remember that the Blue Coat ProxySG requires SSH1. A ProxySG supports a 
combined maximum of 16 Telnet and SSH sessions. 

serial console — A third-party device that can be connected to one or more Blue 
Coat appliances. Once connected, you can access and configure the appliance 
through the serial console, even when you cannot access the appliance directly. 

server certificate categories — The hostname in a server certificate can be categorized 
by BCWF or another content filtering vendor to fit into categories such as 
banking, finance, sports. 

server portals — Doorways that provide controlled access to a Web server or a 
collection of Web servers. You can configure Blue Coat appliances to be server 
portals by mapping a set of external URLs onto a set of internal URLs. 
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server-side transparency — The ability for the server to see client IP addresses, which 
enables accurate client-access records to be kept. When server-side transparency 
is enabled, the appliance retains client IP addresses for all port 80 traffic to and 
from the ProxySG. In this scheme, the client IP address is always revealed to the 
server. 

service attributes — Define the parameters, such as explicit or transparent, cipher 
suite, and certificate verification, that the ProxySG uses for a particular service. 

sibling class (bandwidth gain) — A bandwidth class with the same parent class as 
another class. 

signed system image — Cryptographically signed with a key known only to Blue 
Coat, and the signature is verified when the image is downloaded to the system. 

simple network management protocol (SNMP) — The standard operations and 
maintenance protocol for the Internet. It consists of a set of standards for network 
management, including an application layer protocol, a database schema, and a 
set of data objects. In SNMP, the available information is defined by management 
information bases (MIBs), which describe the structure of the management data. 

simulated live — Used in streaming. Defines playback of one or more video-on- 
demand files as a scheduled live event, which begins at a specified time. The 
content can be looped multiple times, or scheduled to start at multiple start times 
throughout the day. 

SmartReporter log type — A proprietary ELFF log type that is compatible with the 
SmartFilter SmartReporter tool. 

SOCKS — A proxy protocol for TCP/IP-based networking applications that allows 
users transparent access across the firewall. If you are using a SOCKS server for 
the primary or alternate forwarding gateway, you must specify the appliance's ID 
for the identification protocol used by the SOCKS gateway. The machine ID 
should be configured to be the same as the appliance's name. 

SOCKS proxy — A generic way to proxy TCP and UDP protocols. The ProxySG 
supports both SOCKSv4/ 4a and SOCKSv5; however, because of increased 
username and password authentication capabilities and compression support. 
Blue Coat recommends that you use SOCKS v5. 

splash page — The custom message page that displays the first time you start the 
client browser. 

split proxy — Employs co-operative processing at the branch and the core to 
implement functionality that is not possible in a standalone proxy. Examples of 
split proxies include: 

• Mapi Proxy 

• SSE Proxy 

SQUID-compatible format — A log type that was designed for cache statistics and is 
compatible with Blue Coat products. 

squid-native log format — The Squid-compatible format contains one line for each 
request. 

SSL authentication — Ensures that communication is with "trusted" sites only. 
Requires a certificate issued by a trusted third party (Certificate Authority). 
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SSL client — See SSL device profile. 

SSL device profile — Used to determine various SSL parameters for outgoing HTTPS 
connections. Specifically, its role is to: 

• Identify the SSL protocol version that the ProxySG uses in negotiations 
with origin servers. 

• Identify the cipher suites used. 

• Determine which certificate can be presented to origin servers by 
associating a keyring with the profile. 

SSL interception — Decrypting SSL connections. 

SSL proxy — A proxy that can be used for any SSL traffic (HTTPS or not), in either 
forward or reverse proxy mode. 

static route — A manually-configured route that specifies the transmission path a 
packet must follow, based on the packet's destination address. A static route 
specifies a transmission path to another network. 

statistics — Every Blue Coat appliance keeps statistics of the appliance hardware 
and the objects it stores. You can review the general summary, the volume, 
resources allocated, cache efficiency, cached contents, and custom URLs 
generated by the appliance for various kinds of logs. You can also check the event 
viewer for every event that occurred since the appliance booted. 

stream — A flow of a single type of data, measured in kilobits per second (Kbps). A 
stream could be the sound track to a music video, for example. 

SurfControl log type — A proprietary log type that is compatible with the 
SurfControl reporter tool. The SurfControl log format includes fully-qualified 
usernames when an NTLM realm provides authentication. The simple name is 
used for all other realm types. 

syslog — An event-monitoring scheme that is especially popular in Unix 
environments. Most clients using Syslog have multiple devices sending messages 
to a single Syslog daemon. This allows viewing a single chronological event log of 
all of the devices assigned to the Syslog daemon. The Syslog format is: "Date Time 
Hostname Event." 

system cache — The software cache on the appliance. When you clear the cache, all 
objects in the cache are set to expired. The objects are not immediately removed 
from memory or disk, but a subsequent request for any object requested is 
retrieved from the origin content server before it is served. 



TCP window size — The number of bytes that can be buffered before the sending host 
must wait for an acknowledgement from the receiving host. 

time-to-live (TTL) value — Used in any situation where an expiration time is needed. 
For example, you do not want authentication to last beyond the current session 
and also want a failed command to time out instead of hanging the box forever. 

traffic flow (bandwidth gain) — Also referred to as flow. A set of packets belonging to 
the same TCP/UDP connection that terminate at, originate at, or flow through the 
ProxySG. A single request from a client involves two separate connections. One of 
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them is from the client to the ProxySG, and the other is from the ProxySG to the 
OCS. Within each of these connections, traffic flows in two directions — in one 
direction, packets flow out of the ProxySG (outbound traffic), and in the other 
direction, packets flow into the ProxySG (inbound traffic). Connections can come 
from the client or the server. Thus, traffic can be classified into one of four types: 

• Server inbound 

• Server outbound 

• Client inbound 

• Client outbound 

These four traffic flows represent each of the four combinations described above. 
Each flow represents a single direction from a single connection. 

transmission control protocol (TCP) — TCP, when used in conjunction with IP 
(Internet Protocol) enables users to send data, in the form of message units called 
packets, between computers over the Internet. TCP is responsible for tracking and 
handling, and reassembly of the packets; IP is responsible for packet delivery. 

transparent proxy — A configuration in which traffic is redirected to the ProxySG 
without the knowledge of the client browser. No configuration is required on the 
browser, but network configuration, such as an L4 switch or a WCCP-compliant 
router, is required. 

trial period — Starting with the first boot, the trial period provides 60 days of free 
operation. All features are enabled during this time. 



unicast alias — Defines an name on the appliance for a streaming URL. When a 
client requests the alias content on the appliance, the appliance uses the URL 
specified in the unicast-alias command to request the content from the origin 
streaming server. 

universal time coordinates (UTC) — A ProxySG must know the current UTC time. By 
default, the appliance attempts to connect to a Network Time Protocol (NTP) 
server to acquire the UTC time. If the ProxySG cannot access any NTP servers, 
you must manually set the UTC time. 

URL filtering — See content filtering. 

URL rewrite rules — Rewrite the URLs of client requests to acquire the streaming 
content using the new URL. Lor example, when a client tries to access content on 
www.mycompany.com, the ProxySG is actually receiving the content from the 
server on 10.253.123.123. The client is unaware that mycompany.com is not 
serving the content; however, the ProxySG access logs indicate the actual server 
that provides the content. 



WCCP — Web Cache Communication Protocol. Allows you to establish redirection 
of the traffic that flows through routers. 
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Web FTP — Web FTP is used when a client connects in explicit mode using HTTP 
and accesses an ftp:/ / URL. The ProxySG translates the HTTP request into an 
FTP request for the OCS (if the content is not already cached), and then translates 
the FTP response with the file contents into an HTTP response for the client. 

Websense log type — A Blue Coat proprietary log type that is compatible with the 
Websense reporter tool. 



XML responder — HTTP XML service that runs on an external server. 

XML requestor — XML realm. 
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